There has been a “highly sophisticated” zero-day vulnerability discovered in Apple’s ImageIO framework, and it has been actively exploited to successfully compromise iOS and macOS devices, and in some cases drained cryptocurrency wallets. The exploit raises awareness of the importance of users remaining vigilant and updating their devices immediately.
The Vulnerability: A Picture is Not Always Worth a Thousand Words
In essence, a seemingly harmless image file can now serve as a trojan horse in the digital domain A vulnerability that has been given CVE-2025-43300 is an out-of-bounds write vulnerability stemming from Apple’s ImageIO framework, which is the core component that allows applications to process image files. This vulnerability works as follows – send a crafted image (or file) to a target device (generally via a messaging app such as Telegram) that they won’t have to click on. The moment the device processes an image (even if merely storing the image so the user can generate a preview) is when an exploit can deliver payload code and thus wreak memory corruption and provides the justification for executing code and entering the device.
Targeted Attacks on Valuable Individuals
Initial reporting from sources like Rescana, a cybersecurity company, indicates this attack is not a standard breadth approach of random attacks (n.b.: limited attack patterns that might be a broader attack vector). Instead, it is being used in “extremely sophisticated attacks against specific targeted individuals,” particularly those with a high net worth. The user Fawi on X first brought public attention to the exploit, specifically pointing out its use to drain cryptocurrency wallets on iOS and macOS. This zero-click nature of the attack, where no user interaction is required, makes it particularly dangerous for high-profile targets, including journalists, government officials, and crypto investors.
The Mechanism of the Attack
The attacks reported on social media and by various security researchers suggest a clear, malicious chain of events. An attacker sends a seemingly harmless image. As the exploit may be “zero-click”, the device’s operating system processes the image to present a preview, and executes any malicious code or scripts that were embedded in the image. This would give the attacker control over the device and its contents. For cryptocurrency users, and other users of digital wallets, they may be susceptible to silent theft of their funds – because these devices and wallets would be linked. Also, the continual sending of the image is likely a persistence mechanism, with the intention of ensuring the attacker’s code remains active, and to make sure that the temporary fix, or the user’s attempted to dismiss the image, was bypassed.
Urgent Action Required: The Solution
Apple has put out security updates for its operating systems in response to this serious threat. In response to the exploit, the company has fixed the vulnerability by enhancing “bounds checking” in the ImageIO framework, literally shutting the exploit. The primary solution for all Apple users is to update their devices immediately. Users on iOS 18.6.2 and higher, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8 are protected.
Beyond simply updating, a crucial preventive step is to disable automatic image downloads in messaging apps. For instance, as noted by security experts, in Telegram, users can go to Settings -> Data and Storage and disable automatic media downloads for both cellular and Wi-Fi networks. While this may be an inconvenience, it can be a vital first line of defense against attacks that rely on an image being processed without user consent.
The Broader Threat of Zero-Days
This latest incident is a reminder of the ongoing risks of zero-day exploits. A zero-day is a security flaw that remains unknown to a software developer, and thus the flaw is unpatched. It is a formidable weapon for attackers because there is no patch available to defend against an unknown vulnerability until someone discovers and then discloses it. The fact that threat actors can weaponize these vulnerabilities (and the related sophistication a threat actor must possess to carry out a successful attack) all highlight that we need to remain aware of the risks. For individuals and organizations, the best defense is essentially proactive — update all devices and software regularly, adopt multi-factor authentication, and simply be cautious with any unsolicited messages regardless of sender. While Apple has been timely in its response, the incident continues to demonstrate an ongoing game of cat and mouse between security researchers and malicious bad actors in today’s digital world.




