Apple has rolled out a crucial security update for older iPhones and iPads, addressing a zero-day vulnerability that was already exploited in highly targeted attacks. The flaw, tracked as CVE-2025-43300, was previously patched on newer versions of iOS, iPadOS, and macOS in late August but has now been backported to protect legacy devices still in wide use.
The vulnerability stems from an out-of-bounds write issue in the Image I/O framework, a core component that handles image processing across Apple platforms. In practical terms, this flaw allowed attackers to craft malicious image files that could corrupt memory, crash applications, or even enable remote code execution on the victim’s device. According to Apple, the exploit was part of an “extremely sophisticated” spyware campaign aimed at specific individuals, underscoring the high-stakes nature of this attack.
The backported fixes are now available in iOS 15.8.5 / 16.7.12 and iPadOS 15.8.5 / 16.7.12, ensuring that users with older devices are not left unprotected. Models impacted include the iPhone 6s, iPhone 7, iPhone SE (1st gen), iPhone 8 series, iPhone X, iPad Air 2, iPad mini 4, iPad 5th generation, early iPad Pro models, and the iPod touch (7th generation). Apple’s advisory notes that improved bounds checks were introduced to mitigate the bug and block memory corruption attempts.
This vulnerability is particularly notable because it was chained with another flaw in WhatsApp (CVE-2025-55177), which allowed zero-click exploitation. In other words, a target could be compromised without clicking a link or interacting with any file. Amnesty International’s Security Lab reported that WhatsApp had warned some users about these attacks, describing them as part of an advanced spyware campaign. The campaign highlights the growing sophistication of state-sponsored threat actors, who often rely on chained vulnerabilities to bypass modern security defenses.
Apple’s patch also comes in the context of an unusually active year for zero-day vulnerabilities. In 2025 alone, Apple has disclosed and patched six separate zero-days: one in January (CVE-2025-24085), another in February (CVE-2025-24200), a third in March (CVE-2025-24201), two in April (CVE-2025-31200 and CVE-2025-31201), and now the latest Image I/O flaw in September. The frequency of these disclosures signals that attackers are relentlessly targeting Apple’s ecosystem, making proactive security responses critical.
Interestingly, this is not limited to Apple’s environment. Samsung also patched a remote code execution bug last week that was exploited alongside the WhatsApp vulnerability, demonstrating how attackers are increasingly deploying cross-platform exploits that affect both iOS and Android ecosystems simultaneously.
Conclusion: Apple’s decision to backport critical zero-day fixes demonstrates its recognition of the enduring risk posed to older devices. With attackers now weaponizing chained vulnerabilities across platforms, the need for timely updates, strong user awareness, and layered security defenses has never been greater. While this update closes one dangerous loophole, the persistence of advanced spyware campaigns suggests that both companies and users must remain constantly vigilant in the face of evolving threats.
