CISA warns of Apple zero-day used in targeted cyberattacks

A recently disclosed vulnerability affecting Apple products has prompted an order for government organizations to patch the bug. 

The Cybersecurity and Infrastructure Security Agency (CISA) gave civilian federal agencies until September 11 to implement a fix for CVE-2025-43300 — a vulnerability affecting popular brands of Apple phones, iPads and Macbooks. 

Apple said on Wednesday that it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” 

CISA added it to the Known Exploited Vulnerability catalog on Thursday. CISA officials gave the vulnerability a severity rating of 8.8 out of 10.

Apple did not respond to requests for clarification about how it is being used. 

Qualys security research manager Mayuresh Dani explained that the vulnerability affects Apple's ImageIO framework, a core system component responsible for processing various image formats across iOS, iPadOS, and macOS. 

“This is a zero-click exploit that requires no user interaction, and can be triggered simply by processing a maliciously crafted image file, which could be delivered through various channels including messages, emails, or web content,” Dani said. 

At the Black Hat security conference two weeks ago, Censys security researcher Aidan Holland told Recorded Future News that threat actors have had to switch to malicious images as their way into Apple devices because the company blocks links from unknown senders. One way around it is to get people to click and download an image, he explained.

The tech giant has released patches for multiple zero-day vulnerabilities in 2025 — many of which Apple and other security companies attribute to sophisticated spyware vendors. 

Several of the companies have faced international sanctions and lawsuits over their specific targeting of Apple systems. Many of the vulnerabilities found are sold to governments that have used them to target political rivals, dissidents and others. 

Dani noted that as recently as 2023, the BLASTPASS exploit chain – CVE-2023-41064 and CVE-2023-41061 – also targeted ImageIO and was used to deploy the NSO Group’s Pegasus spyware. 

Satnam Narang, senior staff research engineer at Tenable, said Apple rarely used language like “an extremely sophisticated attack against specific targeted individuals” in security advisories.

“While the impact to the wider populace is smaller because the attackers exploiting CVE-2025-43300 had a narrow, targeted focus, Apple wants the public to pay attention to the threat and take immediate action,” Narang said. “While the possibility of the average user being a target is low, it’s never zero.”