CISA Adds Apple’s Flaw to Known Exploited Vulnerabilities Catalog

January 29, 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in multiple Apple products, tracked as CVE-2025-24085, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, which has been actively exploited in attacks against iPhone users, was addressed by Apple through the release of security updates.

The flaw is a privilege escalation vulnerability that affects the Core Media framework, a system that supports multimedia tasks such as playback, recording, and manipulation of audio and video on iOS and macOS devices. Apple acknowledged the issue, stating, “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.” The issue was resolved by improving memory management.

The vulnerability was exploited to target devices running iOS versions prior to iOS 17.2, impacting a range of devices including iPhone XS and later, various iPad Pro models, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Apple has since addressed the issue with the release of updates for various operating systems including iOS, iPadOS, macOS, watchOS, visionOS, and tvOS.

While Apple has not shared specifics regarding the attacks that exploited this flaw, it is common for such vulnerabilities to be exploited by nation-state actors or commercial surveillance spyware vendors in targeted attacks. The company has advised customers to install the released security updates.

As per the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies must address identified vulnerabilities by the given due date to safeguard their networks against attacks exploiting the cataloged flaws. Experts also recommend that private organizations review the Catalog and address any vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix this vulnerability by February 13, 2025.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.