Apple WebKit Zero-Day CVE-2025-24201: Out-of-Bounds Write Exploited in the Wild

On March 11, 2025, Apple released emergency security updates across iOS, iPadOS, macOS, Safari, and visionOS to address CVE-2025-24201 — an out-of-bounds write vulnerability in WebKit that was being actively exploited in the wild. Apple described it as a supplementary fix for an attack that had been blocked in iOS 17.2, suggesting the original mitigation was incomplete.

This marks yet another WebKit zero-day in a long line of browser engine vulnerabilities that have been weaponized against targeted individuals. The pattern is well-established: state-sponsored actors and commercial spyware vendors develop WebKit exploits as entry points into Apple devices, and the targets are typically journalists, activists, dissidents, and government officials.

Technical Details

CVE-2025-24201 is an out-of-bounds write in WebKit's web content processing engine. The vulnerability allows maliciously crafted web content to break out of the Web Content sandbox — the security boundary that isolates web rendering from the rest of the operating system.

The out-of-bounds write primitive is significant because it enables an attacker to corrupt memory outside the intended buffer boundaries. When combined with additional exploitation techniques, this can achieve arbitrary code execution within the WebKit process. The sandbox escape component elevates this from a browser compromise to a device compromise.

Apple's description that this was a "supplementary fix for an attack that was blocked in iOS 17.2" is telling. It means:

1. The original exploit chain was first seen before December 2023 (when iOS 17.2 shipped)
2. Apple's initial fix addressed the exploit but not the underlying vulnerability
3. Attackers found a way around the iOS 17.2 mitigation, prompting this additional patch
4. The vulnerability root cause remained exploitable for over a year after the first mitigation attempt

The WebKit Monoculture Problem

Every browser on iOS uses WebKit. Apple's App Store guidelines require all third-party browsers — Chrome, Firefox, Edge, Brave, and others — to use WebKit as their rendering engine. This means a WebKit vulnerability affects every browser on every iPhone and iPad, regardless of which browser the user prefers.

This monoculture creates an amplified blast radius. When a WebKit zero-day emerges, there's no "use a different browser" mitigation. Every iOS user is affected until they install the update.

The European Union's Digital Markets Act (DMA) may eventually change this by requiring Apple to allow alternative browser engines on iOS. Some progress was made in 2024 with iOS 17.4 in the EU, but adoption of alternative engines has been slow. For now, WebKit remains the single point of failure for mobile browser security on Apple platforms.

Exploit Chains and Spyware

WebKit zero-days rarely exist in isolation. They're typically the first link in a multi-stage exploit chain:

1. WebKit vulnerability: Initial code execution in the browser process
2. Sandbox escape: Breaking out of the Web Content sandbox (CVE-2025-24201 combines both)
3. Kernel vulnerability: Elevating privileges to gain kernel access
4. Persistence mechanism: Surviving reboots and maintaining access

Commercial spyware vendors like NSO Group (Pegasus), Intellexa (Predator), and QuaDream have historically used WebKit zero-days as the initial entry point. The exploit is delivered via a malicious link or, in zero-click scenarios, through iMessage or other messaging platforms that render web content.

The "extremely sophisticated attack against specific targeted individuals" language in Apple's advisory is consistent with commercial spyware deployment. These aren't mass-market criminal operations. They're precision tools sold to governments.

Affected Products and Versions

The vulnerability was patched in:

• iOS 18.3.2 and iPadOS 18.3.2
• macOS Sequoia 15.3.2
• Safari 18.3.1
• visionOS 2.3.2

Older iOS versions (17.x and below) were not mentioned in the advisory, leaving users on older devices potentially exposed. This is an increasingly common problem as Apple's security updates favor current-generation software.

The Update Gap

Despite Apple's reputation for rapid security response, there's always a gap between patch availability and user adoption. Apple's own data suggests that major iOS updates reach 80% adoption within a few months, but emergency security patches can take weeks to propagate.

During this window, attackers with knowledge of the vulnerability (including those who may reverse-engineer the patch) can develop or refine exploits. For targeted attacks, even a few days of exposure is sufficient to compromise specific individuals.

Organizations managing fleets of Apple devices through MDM solutions should push the update immediately. For personal devices, enabling automatic updates is the single most important security measure.

Detection Challenges

Detecting WebKit exploitation on iOS is exceptionally difficult:

• No third-party security software has kernel-level access on iOS
• Crash logs may show WebKit-related crashes, but sophisticated exploits are designed to be stable
• Apple's Lockdown Mode provides some protection by disabling certain WebKit features, reducing the attack surface
• iVerify and similar tools can detect some indicators of compromise but cannot provide comprehensive monitoring

Apple's own Rapid Security Response mechanism, introduced in iOS 16, allows faster delivery of WebKit patches without full OS updates. But for CVE-2025-24201, a full OS update was required.

Recommendations

For individuals who may be targeted (journalists, activists, executives):

1. Enable Lockdown Mode: It disables some WebKit functionality and significantly reduces the attack surface
2. Update immediately: Don't wait for automatic updates. Manually check for and install updates.
3. Use Apple's Rapid Security Response: Ensure this is enabled in settings
4. Be cautious with links: Even from trusted contacts, as accounts may be compromised

For organizations:

1. Push updates through MDM immediately
2. Monitor for devices that haven't applied the update
3. Consider Lockdown Mode for high-risk users
4. Review web filtering logs for indicators of exploitation attempts

How Safeguard.sh Helps

Safeguard.sh extends supply chain visibility to the software running on your organization's endpoints, including mobile device operating systems and browser components. By integrating with MDM solutions and maintaining software inventory data, Safeguard.sh can identify which devices in your fleet are running vulnerable WebKit versions.

When a zero-day like CVE-2025-24201 is disclosed, the platform immediately flags affected devices and tracks patch deployment progress. Policy rules can enforce update timelines — for example, requiring all iOS devices to be updated within 48 hours of a critical WebKit patch — with automatic escalation for non-compliant devices.

For organizations that need to assess their exposure to browser engine vulnerabilities specifically, Safeguard.sh's component-level SBOM tracking identifies the WebKit version embedded in every browser and application across your environment, giving you a complete picture of your actual attack surface.