Ethical Hacking News
In a significant move, Apple has released security updates that backport zero-day patches from newer iOS and iPadOS versions to older devices. This update aims to provide additional protection for users whose devices are unable to run the latest software due to hardware limitations or other factors.
Apple has released security updates to patch a zero-day vulnerability (CVE-2025-43300) in iOS and iPadOS.The vulnerability allows attackers to exploit memory corruption, crashes, or remote code execution through maliciously crafted image files.The affected devices include older models such as iPhone 6s, iPhone 7, and iPad Air 2.Apple has also fixed six other zero-days that were exploited in the wild in 2025.
Apple has taken a proactive approach to address the growing threat landscape, releasing security updates that backport patches from newer iOS and iPadOS versions to older devices. This move aims to provide additional protection for users who may not be able to upgrade their devices due to various reasons such as hardware limitations or user preference.
The security flaw in question, CVE-2025-43300, was identified by Apple's security researchers and is caused by an out-of-bounds write weakness in the Image I/O framework. This vulnerability allows attackers to exploit a maliciously crafted image file, potentially leading to memory corruption, crashes, or even remote code execution.
The vulnerability has been exploited in "extremely sophisticated" attacks against specific targeted individuals, according to Apple's advisories. The company has now addressed this zero-day flaw in iOS 15.8.5 / 16.7.12, as well as iPadOS 15.8.5 / 16.7.12, with improved bounds checks.
The list of devices impacted by this vulnerability is extensive, affecting a wide range of older models, including the iPhone 6s, iPhone 7, iPhone SE, iPhone 8, and iPhone 8 Plus, as well as various iPad models such as the iPad Air 2, iPad mini, iPad Pro 9.7-inch, and iPod touch (7th generation).
This is not an isolated incident; WhatsApp has also patched a zero-click vulnerability in its iOS and macOS messaging clients, which was chained with Apple's CVE-2025-43300 zero-day in targeted attacks described as "extremely sophisticated." Samsung has similarly addressed a remote code execution vulnerability in its Android devices.
Donncha Ó Cearbhaill, the head of Amnesty International's Security Lab, warned some WhatsApp users that their devices were targeted in an advanced spyware campaign. This highlights the growing concern around the use of zero-day vulnerabilities in targeted attacks.
Apple has now fixed six zero-days that were exploited in the wild in 2025: the first in January (CVE-2025-24085), the second in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two more in April (CVE-2025-31200 and CVE-2025-31201).
The impact of this vulnerability cannot be overstated, as it highlights the ongoing threat landscape and the importance of keeping devices up-to-date with the latest security patches. Apple's efforts to backport these patches demonstrate their commitment to protecting users, even those who may not be able to upgrade their devices due to various reasons.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Update-Apples-Backporting-of-Zero-Day-Patches-to-Older-iPhones-and-iPads-ehn.shtml
https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-patches-to-older-iphones-and-ipads/
https://community.norton.com/t/apple-back-ports-zero-day-patches-to-older-devices/379097
https://nvd.nist.gov/vuln/detail/CVE-2025-43300
https://www.cvedetails.com/cve/CVE-2025-43300/
https://nvd.nist.gov/vuln/detail/CVE-2025-24085
https://www.cvedetails.com/cve/CVE-2025-24085/
https://nvd.nist.gov/vuln/detail/CVE-2025-24200
https://www.cvedetails.com/cve/CVE-2025-24200/
https://nvd.nist.gov/vuln/detail/CVE-2025-24201
https://www.cvedetails.com/cve/CVE-2025-24201/
https://nvd.nist.gov/vuln/detail/CVE-2025-31200
https://www.cvedetails.com/cve/CVE-2025-31200/
https://nvd.nist.gov/vuln/detail/CVE-2025-31201
https://www.cvedetails.com/cve/CVE-2025-31201/
Published: Tue Sep 16 07:41:16 2025 by llama3.2 3B Q4_K_M
