U.S. CISA adds D-Link cameras and Network Video Recorder flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Apple iOS, iPadOS, and macOS flaw to its Known Exploited Vulnerabilities catalog

Por

U.S. CISA adds Apple iOS, iPadOS, and macOSflaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple iOS, iPadOS, and macOSflaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)added Apple iOS, iPadOS, and macOSflaw, tracked as CVE-2025-43300, to its Known Exploited Vulnerabilities (KEV) catalog.

This week, Apple addressed the actively exploited zero-day CVE-2025-43300 in iOS, iPadOS, and macOS. The vulnerability is zero-day out-of-bounds write issue that resides in theImageIO framework, an attacker could exploit it to cause memory corruption when processing a malicious image.

“Processing a malicious image file may result in memory corruption.” reads theadvisorypublished by the tech giant. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

The company fixed the problem with improved bounds checking. Apple released the following updates to fix the issue:

  • iOS 18.6.2 and iPadOS 18.6.2– iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
  • iPadOS 17.7.10– iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
  • macOS Ventura 13.7.8– Mac systems running macOS Ventura
  • macOS Sonoma 14.7.8– Macs systems running macOS Sonoma
  • macOS Sequoia 15.6.1– Macs systems running macOS Sequoia

As usual, the company did not share technical details about the attacks exploiting this vulnerability.

According toBinding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review theCatalogand address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities bySeptember 11, 2025.

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairshacking,CISA)