NAVANEM
CVE-2025-24201⚡ exploited in the wild

Apple WebKit, sandbox escape via malicious web content (zero-day)

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. Maliciously crafted web content may be able to break out of Web Content sandbox.

Overview

CVE-2025-24201 is a critical zero-day vulnerability in Apple's WebKit browser engine that enables sandbox escape through maliciously crafted web content. Discovered and patched in March 2025, Apple confirmed this vulnerability was actively exploited in "extremely sophisticated" targeted attacks, language typically reserved for state-sponsored mercenary spyware operations such as those attributed to NSO Group (Pegasus) or Intellexa (Predator).

The vulnerability affects iOS, iPadOS, macOS, visionOS, and Safari across multiple Apple platforms. It represents a significant threat as the second stage in a multi-stage exploit chain, allowing attackers who have achieved code execution within Safari's renderer process to escape the Web Content sandbox and compromise the broader device.

Technical Details

The vulnerability is an out-of-bounds write issue in WebKit's content rendering path. Specifically:

  • Vulnerability Type: Out-of-bounds write (CWE-787)
  • Attack Vector: Network-based via maliciously crafted web content
  • Exploitation Method: Crafted JavaScript-driven web content corrupts memory in WebKit's rendering engine
  • Exploit Chain Position: This CVE serves as the second stage, after initial Remote Code Execution (RCE) is achieved inside Safari's sandboxed renderer, CVE-2025-24201 enables escape from the Web Content sandbox to attack the rest of the device

Apple addressed the issue with improved bounds checking to prevent unauthorized memory write operations.

Impact

The impact of this vulnerability is severe:

  • Sandbox Escape: Attackers can break out of the Web Content sandbox, a critical security boundary in Apple's defense-in-depth architecture
  • Full Device Compromise: When chained with an initial RCE vulnerability, attackers can gain broader access to the target device
  • Targeted Exploitation: Apple confirmed in-the-wild exploitation against "specific targeted individuals," consistent with mercenary spyware campaigns
  • High-Risk Targets: Executives, journalists, activists, and dissidents face elevated risk

For organizations managing Apple device fleets via MDM solutions (Intune, Jamf, Kandji), this represents a fleet-wide security concern.

Mitigation

  1. Immediate Patching: Deploy updates via MDM to all managed devices:

    • iOS 18.3.2
    • iPadOS 18.3.2
    • macOS Sequoia 15.3.2
    • visionOS 2.3.2
    • Safari 18.3.1

  2. Enable Lockdown Mode: For high-risk users, enable Lockdown Mode (Settings → Privacy & Security) which mitigates this entire class of WebKit exploit chains

  3. Compliance Verification: Audit MDM compliance dashboards to ensure no devices remain on vulnerable versions

Detection

No public information available regarding specific indicators of compromise or detection signatures. Organizations should monitor Apple security advisories and threat intelligence feeds for updates on exploitation activity.