Apple has uncovered hackers exploiting a vulnerability in iOS that appears to have been lingering for more than a year.
On Monday, the company issued the patch for the flaw in the iOS 18.3 release for iPhones. In the bug notes, Apple indicates that malicious software applications have been abusing the vulnerability to increase their access to system privileges.
The company added: “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2,” which was released in December 2023. Apple iPhone models from 2018’s XS and up are all affected.
The vulnerability, dubbed CVE-2025-24085, involves how iOS processes multimedia files through a software framework called Core Media. The same framework suffered from a memory corruption error, called a “use after free” bug, which can cause unstable behavior — paving a way to tamper with the software.
Although details are thin, Apple’s bug report suggests the hackers exploited the vulnerability starting over a year ago, possibly through fake apps designed to play media files. Since the attack went undetected for so long, the hackers may have used the vulnerability against specific high-value targets to hijack their iPhone devices.
Recommended by Our Editors
CVE-2025-24085 also represents the first “zero-day” vulnerability that Apple has fixed for this year so far. In response, the company has not only issued a patch for iPhones and iPads, but also for macOS Sequoia, watchOS, tvOS and even Apple’s Vision Pro headset. Users can update their iPhones by going to Settings > General > Software Update. The phone can also patch itself automatically if you’ve toggled on automatic updates.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
