Apple rushes out iOS update to patch dangerous image file exploit

Less than a week after releasing iOS 18.6.1, Apple has launched update 18.6.2, which could supposedly stop hackers from accessing devices through “malicious image files.”

The flaw, tracked as CVE-2025-43300, was identified inside Apple’s Image I/O framework, which handles the reading and writing of image files across its devices. According to the iPhone manufacturer, processing a maliciously crafted image could result in memory corruption and could allow an attacker to execute malicious code on the device.

Apple said the bug had been exploited by an “extremely sophisticated attack against specific targeted individuals.” The company fixed the problem with iOS 18.6.2 and parallel security patches for macOS Sequoia, Sonoma and Ventura, issued in an unscheduled update late Wednesday.

“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” the company wrote on its official support page.

Affected devices and update availability

The iOS 18.6.2 update covers all iPhones released since 2018, beginning with the iPhone XS, XS Max, XR, and the second- and third-generation iPhone SE. The patch also extends to Apple’s latest devices, including the iPhone 16 series and iPhone 16e.

Supported iPad models include the iPad Pro 13-inch, iPad Pro 12.9-inch (2nd generation and later), iPad Pro 11-inch (1st generation and later), iPad Pro 10.5-inch, iPad Air (3rd generation and later), iPad (6th generation and later), and iPad mini (5th generation and later).

The update is also available for Apple’s Mac computers running the three most recent versions of macOS. The tech giant is asking users not to wait for the automatic rollout and instead apply the patch manually, as the auto update could take time reaching all devices.

How did update 18.6.1 make devices vulnerable?

According to several security analysts, the flaw is an out-of-bounds write vulnerability, a type of bug that allows attackers to access or manipulate sections of device memory that should normally be restricted.

Pieter Arntz, a former Microsoft consultant and researcher at cybersecurity firm Malwarebytes, explained in a blog post that the vulnerability could allow attackers to insert and run code in “inaccessible” parts of memory. 

“Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions,” he wrote.

Arntz mentioned adversaries could exploit the bug by creating a malicious image file that corrupts memory as soon as the device processes it, even without user interaction. He compared the attack to so-called zero-click exploits, where spyware or malware is triggered simply by receiving or processing malicious content.

“Processing such a malicious image file would result in memory corruption,” he said. “Memory corruption issues can be manipulated to crash a process or run an attacker’s code.”

Apple has admitted it had received reports of the flaw being used in targeted attacks against certain individuals, but did not identify the victims.

Sean Wright, head of application security at Featurespace, believes the exploit was too complex to be deployed on a wide scale.

“Thankfully, the exploit does appear to be complex and likely only exploited in a very targeted attack, so most ordinary users are unlikely to become a victim,” Wright told Forbes. “But I would still highly recommend applying the fix as soon as possible to be on the safe side.”

If you're reading this, you’re already ahead. Stay there with our newsletter.