Pierluigi Paganini January 29, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple products’ flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple Multiple Products Use-After-Free Vulnerability, tracked as CVE-2025-24085, to its Known Exploited Vulnerabilities (KEV) catalog.

This week, Apple released security updates to address 2025’s first zero-day vulnerability, tracked as CVE-2025-24085, actively exploited in attacks targeting iPhone users.

The vulnerability is a privilege escalation vulnerability that impacts the Core Media framework.

“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.” reads the advisory ([1], [2], [3], [4], [5]) published by the IT giant.

The Apple Core Media framework supports multimedia tasks like playback, recording, and manipulation of audio and video on iOS and macOS devices.

The company addressed the use after free issue with improved memory management.

Threat actors exploited the vulnerability to target devices running iOS before iOS 17.2.

The vulnerability impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

Apple addressed the issue with the release of iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3.

As usual, the company did not share details regarding the attacks exploiting the flaw.

Usually, such kinds of vulnerabilities are exploited by nation-state actors or commercial surveillance spyware vendors in targeted attacks.

Customers are recommended to install the security updates released by the company.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 13, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)