Apple on Jan. 27 patched its first zero-day of 2025, a bug that the company confirmed was actively exploited in the wild on iOS devices.
The bug — CVE-2025-24085 — was a “use after free” issue that was addressed with improved memory management. The issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3.
A "use after free" bug is a memory corruption issue in which a software program looks to access or use a memory location that has already been freed and is no longer available, which can potentially lead to unexpected behavior, crashes, or even malicious code execution by attackers.
In the recent iOS 18.3 update, Apple notably addressed an actively exploited CoreMedia flaw that could let attackers take control of targeted devices via a fake app pretending to play multimedia files, giving the attackers access to sensitive data.
“Users who don’t update from older iOS versions remain at risk of exploitation, including unauthorized data access, financial loss, and erosion of user privacy,” said Sylvain Cortes, vice president of strategy at Hackuity. “These vulnerabilities could allow attackers to execute arbitrary code, access sensitive or confidential information and compromise the security of both personal and corporate data.”
Cortes recommended that users promptly update their devices to iOS 18.3. He said regularly installing updates as they are released, ensures that devices are protected against known and new vulnerabilities — some of which attackers could actively exploit.
Michael Covington, vice president of Portfolio Strategy at Jamf, added that a zero-day actively exploited by attackers will always be a concern, but it’s even more alarming when the vulnerability is in a core function shared across multiple operating systems in use on some of the world's most popular devices.
“Apple's Core Media was identified as the framework being exploited,” said Covington. “Though we do not yet have details on the specific vulnerability, we do know that it can be used to grant elevated privileges to a malicious application. The framework is commonly used to process media, which means it supports a broad set of apps and manages data queues in memory. It may have been targeted because the design allows an attacker to input data of their own design into the framework, providing potential insights into how data is manipulated at runtime."
Jason Soroko, senior fellow at Sectigo, explained that the Core Media framework handles audio and video processing on Apple devices. It manages the creation, manipulation, and display of media streams and is essential to the operating system.
“A vulnerability in this core component can lead to privilege escalation, allowing attackers to execute arbitrary code with elevated permissions,” said Soroko. “Although current exploitation in the wild appears targeted, security teams should apply Apple’s patch swiftly to prevent broader attacks on unprotected devices.”
Lawrence Pingree, vice president at Dispersive, said that phones today are basically the same as any datacenter servers, they have advanced to a point where they are similar to the capabilities in traditional desktop or laptop systems.
“What people don't often realize is that every vulnerability that’s discovered (zero day or not) was present before discovery and could be used maliciously by threat actors,” said Pingree. “I think for most users, they don't have much perception of security. For me, I don't trust devices, and I worry that these devices can be used against users in a heavily targeted manner.”