Apple’s 3 Zero-Days: If You Haven’t Updated Yet, What Are You Even Doing With Your Life?

4 Apr

So, Apple’s back in the news for the wrong reasons. Again. This time, not because someone couldn’t find the USB-C port, or because your £1,200 iPhone still doesn’t come with a charger. No, this time it's because three—count them—three zero-day vulnerabilities are running riot across iPhones, iPads, Macs, and just about everything else with a bitten fruit stamped on it.

And yes, these vulnerabilities are already being exploited in the wild. Lovely.

Here We Go Again...

Apple, the company that’s spent years cultivating an image of being secure by default, just pushed emergency updates to deal with three new zero-days—CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085.

Don’t bother memorising them. Just know this: if you haven’t updated your kit already, you may as well hand your phone over to a cybercriminal and say, “Here you go mate, help yourself.”

Let’s break it down. And yes, this will get snarky.

CVE-2025-24200 – “Plug It In and Steal Everything”

You’d think by now Apple would have USB security nailed. You’d be wrong.

This vulnerability allows a bad actor with physical access to disable USB Restricted Mode on locked devices. You know that handy feature designed to stop dodgy USB tools from accessing your data without your permission? Yeah, this just switches it off. Brilliant.

All an attacker has to do is plug in their gear, and boom—your ‘secured’ iPhone just rolled over and showed its belly.

It’s like having a burglar alarm with a snooze button.

Affected: iOS 18.3.1 and iPadOS 18.3.1.
Devices: Basically anything from iPhone XS and newer.

CVE-2025-24201 – “Safari’s Escape Room”

This one’s in WebKit, because of course it is.

WebKit, if you're not familiar, is the engine that powers Safari and every other browser-like thing on Apple devices. It's the heart of everything from web apps to email previews.

This little gem lets malicious web content break out of the Web Content sandbox. That’s tech-speak for: your iPhone might think it’s just loading a webpage, but in reality, that webpage is running around the OS like it owns the place.

This was supposed to be dealt with in iOS 17.2. Guess that fix aged like milk.

Affected: iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.

CVE-2025-24085 – “CoreMedia Has Core Problems”

CoreMedia is responsible for handling your audio and video. Unfortunately, it’s also now responsible for letting malicious applications escalate their privileges—meaning an app could gain access to bits of the OS it has absolutely no business touching.

This one’s a use-after-free bug, which sounds technical and boring, but basically it means your OS is letting apps play around in memory that’s already been chucked in the bin. That’s like asking your dog to guard your steak after it’s eaten it.

Affected: iPhones, iPads, Macs, Apple Watch, Apple TV, and Vision Pro. So basically everything.

So What’s the Risk?

Let’s put it plainly.

If someone has your device and knows what they’re doing, they could extract data via USB.
If you visit a compromised website (which could be anything from a dodgy pop-up ad to a poisoned link), you could end up with malicious code running outside the browser.
And if you’ve downloaded a rogue app (accidentally or through side-loading), it could take over parts of your system.

These aren’t hypothetical. Apple has confirmed all three are being actively exploited.

Yes, you read that right. Not “maybe exploitable in theory”. Actively. In. The. Wild.

What You Should Do (Right Now. Seriously.)

Look, we all know updates are annoying. But when the alternative is “your phone turns into a remote-controlled surveillance device,” you really don’t have an excuse.

Update Everything:

iPhone/iPad: Settings > General > Software Update.
Mac: Apple Menu > System Settings > General > Software Update.
Apple Watch: Use the Watch app on your iPhone.
Apple TV: Settings > System > Software Updates.
Apple Vision Pro (if you’ve already burned cash on this): Update via visionOS settings.

Turn on Automatic Updates.

Yes, they sometimes reboot your device at awkward times, but better that than waking up to find your phone has been emptied out like a smashed car window.

Stop Installing Random Crap

Do not side-load apps from the internet because some TikTok told you it’s the “pro” way. That’s how you get malware. That’s how you get ransomware. That’s how you end up in tears.

Use Lockdown Mode

If you’re in a sensitive role, travelling abroad, or just paranoid enough (fair play), enable Lockdown Mode. It nerfs a lot of features, but also locks down the attack surface.

Apple’s Pattern of “Fix It Later”

Now, if this sounds familiar, that’s because Apple has had a frankly embarrassing streak of zero-days in recent years. For a company that charges the price of a second-hand car for a phone and tries to flog you iCloud+ just for an email alias, the security story is wearing thin.

Let’s be honest: they’ve relied on the “We’re Apple, we’re more secure by default” myth for far too long. And a lot of consumers still believe it.

“iPhones don’t get viruses”
“Oh, Macs are safe from malware”
“Safari is more private”

Stop it. Just stop.

Security is a moving target, and every smug ad campaign about privacy is only going to attract more attention from people who want to break it.

For IT Admins and MSPs

If you’re in IT and you haven’t started pushing these updates to your fleet already, please close this tab and go do it. Now.

Then, when you're done, go have a long hard look at your endpoint management tools. If you’re relying on users to update their devices manually, you're not managing—you're hoping. And hope is not a strategy.

Also, make sure your users can’t disable USB Restricted Mode. And maybe put a real Mobile Device Management (MDM) solution in place while you’re at it.

Wrapping It Up (Before Something Else Explodes)

Look, no system is perfect. Not Apple, not Android, not Windows (definitely not Windows). But the real sin here is complacency.

Apple does move quickly when the press catches wind of these issues. They’re good at damage control. But maybe, just maybe, let’s stop pretending that shiny equals safe.

Zero-days aren’t going away. Attackers are getting smarter. And if you’re walking around with an unpatched device, you’re the low-hanging fruit.

So, have you updated yet?

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com