Apple has released iOS 18.3.2, a security update that addresses a critical vulnerability in WebKit, the framework that powers Safari and renders web-based content on iOS devices. The update, released on March 11, 2025, fixes a flaw identified as CVE-2025-24201 that allowed maliciously crafted web content to break out of the Web Content sandbox. The latest security patch follows Apple’s established pattern of rapid response to critical security threats.
The vulnerability was initially believed to have been patched in iOS 17.2, but Apple has now issued a supplementary fix to fully address the issue. According to security researchers, the flaw was exploited in a highly sophisticated attack targeting specific individuals before the iOS 17.2 release. The incident bears similarities to previous targeted attacks that have leveraged WebKit vulnerabilities for unauthorized access to iOS devices.
“In this particular flaw, attackers were able to use maliciously crafted web content to escape the iOS Web Content sandbox. Breaking out of a sandbox allows an attacker to access data in other parts of the operating system,” said Adam Boynton, Senior Security Strategy Manager at Jamf.
The security update is available for iPhone XS and later models, as well as multiple iPad Pro models, iPad Air (3rd generation and later), iPad (7th generation and later), and iPad mini (5th generation and later). Users can install the update by navigating to Settings > General > Software Update on their devices. The update is particularly crucial given Apple’s recent expansion of security features, including the implementation of end-to-end encryption for RCS messaging.
“Cybercriminals will attempt to compromise devices that have not been updated,” said Boynton. “Therefore, we strongly recommend that users install iOS 18.3.2 immediately. Keeping devices up to date with the latest patches is one of the most effective ways to safeguard against attackers.”
The sophisticated nature of the attack and its targeted nature suggests the possibility of state-sponsored actors exploiting the vulnerability for surveillance purposes before the initial patch was released. The pattern follows a concerning trend of government entities using advanced malware for surveillance, as documented by privacy advocacy groups like the Electronic Frontier Foundation.
Security experts note that the WebKit vulnerability is particularly concerning given the recent surge in sophisticated mobile attacks, including AI-enhanced social engineering tactics and targeted phishing campaigns. The discovery and patching of this vulnerability underscore the ongoing challenges in maintaining mobile device security against increasingly sophisticated threats.
Sources: Infosecurity Magazine, Apple Support, TechRepublic
Follow Us