CVE-2025-24201

ENISA EUVD: EUVD-2025-6302 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 11 articles Published: 2025-03-11

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.2%

probability

This CVE has a 0.2% probability of being exploited in the next 30 days.

0% Top 42.4th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Affected Products

Apple

Safari

Apple

iOS and iPadOS

0 0 0

Apple

iPadOS

Apple

macOS

Apple

visionOS

apple

safari

apple

macos

apple

visionos

apple

watchos

apple

ipados

Apple

macOS

0 <15.3.2

Apple

iOS and iPadOS

0 <15.8.4

Apple

iPadOS

0 <17.7.6

Apple

iOS and iPadOS

unspecified <16.7

Apple

iOS and iPadOS

unspecified <15.8

Apple

iPadOS

unspecified <17.7

Apple

Safari

unspecified <18.3

Apple

watchOS

0 <11.4

Apple

macOS

unspecified <15.3

Apple

visionOS

0 <2.3.2

Apple

Safari

0 <18.3.1

Apple

iOS and iPadOS

0 <18.3.2

Apple

iOS and iPadOS

unspecified <18.3

Apple

watchOS

unspecified <11.4

Apple

visionOS

unspecified <2.3

Apple

iOS and iPadOS

0 <16.7.11

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Patched

March 11, 2025

Reported by

Apple

Root Cause Analysis

???

Exploits & PoC

The-Maxu/CVE-2025-24201-WebKit-Vulnerability-Detector-PoC-

CVE-2025-24201 WebKit Vulnerability Detector (PoC)

6 2025-07-11

5ky9uy/glass-cage-i18-2025-24085-and-cve-2025-24201

Glass Cage is a zero-click PNG-based RCE chain in iOS 18.2.1, exploiting WebKit (CVE-2025-24201) and Core Media (CVE-2025-24085) to achieve sandbox es

4 2025-08-30

2 repos — triés par ⭐ Rechercher sur GitHub ↗

https://support.apple.com/en-us/122281

https://support.apple.com/en-us/122283

https://support.apple.com/en-us/122284

https://support.apple.com/en-us/122285

https://support.apple.com/en-us/122345

https://support.apple.com/en-us/122346

Signal Intelligence

Confidenceⓘ

95%

EPSS 0.2%

CVSS v3.1 10

Mentions 11

Last Seen Dec 13, 2025

CNA Information

CNA Assigner

apple

Analyst Note

This CVE demonstrates strong confirmation indicators: a CVSS 10.0 critical severity rating, patches deployed across multiple Apple platforms, inclusion in Google Project Zero, and consistent reporting from reputable sources documenting active exploitation in sophisticated targeted attacks. The out-of-bounds write enabling WebKit sandbox escape represents a high-impact vulnerability with verified real-world exploitation.