With iOS 18.6.2 and iPadOS 18.6.2, Apple has patched a critical security vulnerability that was already being actively exploited on a small scale.
Hackers can exploit a previously unknown security issue in iOS and iPadOS through a manipulated image file. With version 18.6.2, Apple is releasing a patch that fixes the problem.
The vulnerability is located in ImageIO. This is a system component responsible for processing image files. A file specially prepared for this purpose can manipulate memory through a so-called “out-of-bounds write”. This involves a file overwriting memory locations outside the permitted boundaries, potentially allowing exploitation. In simple terms, the bug makes it possible to trick the system into executing malicious code.
Apple indicates it is aware of a report where the vulnerability was possibly exploited in a targeted attack against specific individuals. Hackers, for example from nation-states, often use unknown zero-day bugs to set up targeted espionage attacks.
Urgent Update
The security vulnerability is labeled CVE-2025-43300. Apple says the issue has been resolved by implementing stricter controls for processing image data through an update.
The update is available for iPhone XS and later, and for various iPad models: including the iPad Pro from the third generation (12.9-inch) or first generation (11-inch), iPad Air from the third generation, iPad from the seventh generation, and iPad mini from the fifth generation.
Apple is not only launching a patch for iOS 18.6.2 and iPadOS 18.6.2. The vulnerability has also been fixed in other Apple operating systems. Updates are available for macOS Ventura (13.7.8), macOS Sonoma (14.7.8), macOS Sequoia (15.6.1), and iPadOS 17.7.10.
Users of affected devices are advised to install the latest updates as soon as possible to avoid the risk of exploitation.