rss-bridge 2025-12-16T04:14:56+00:00

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2025-116

DATE(S) ISSUED:

12/15/2025

OVERVIEW:

THREAT INTELLIGENCE:

Apple is aware of a report that CVE-2025-43529 and CVE-2025-14174 may have been exploited in an extremely sophisticated attack against specific targeted individuals.

SYSTEMS AFFECTED:

Versions prior to iOS 26.2 and iPadOS 26.2
Versions prior to iOS 18.7.3 and iPadOS 18.7.3
Versions prior to macOS Tahoe 26.2
Versions prior to macOS Sequoia 15.7.3
Versions prior to macOS Sonoma 14.8.3
Versions prior to tvOS 26.2
Versions prior to watchOS 26.2
Versions prior to visionOS 26.2
Versions prior to Safari 26.2

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentMEDIUM

Businesses:

Large and medium business entitiesHIGH

Small business entitiesMEDIUM

Home Users:

LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

Tactic: Execution (TA0002):

Technique: Exploitation for Client Execution (T1203):

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report. (CVE-2025-43529)
An app may be able to elevate privileges. (CVE-2025-43512)

Additional lower severity vulnerabilities include:

An app may be able to access sensitive payment tokens. (CVE-2025-46288)
Processing a file may lead to memory corruption. (CVE-2025-43539, CVE-2025-5918)
An attacker may be able to spoof their FaceTime caller ID. (CVE-2025-46287)
Multiple issues in curl. (CVE-2024-7264, CVE-2025-9086)
Password fields may be unintentionally revealed when remotely controlling a device over FaceTime. (CVE-2025-43542)
An app may be able to inappropriately access files through the spellcheck API. (CVE-2025-43518)
Processing malicious data may lead to unexpected app termination. (CVE-2025-43532)
An app may be able to identify what other apps a user has installed. (CVE-2025-46279)
An app may be able to gain root privileges. (CVE-2025-46285, CVE-2025-43527)
An app may be able to access user-sensitive data. (CVE-2025-43475, CVE-2025-46292, CVE-2025-43522)
An app may be able to access sensitive user data. (CVE-2025-46276, CVE-2025-43538, CVE-2025-43530, CVE-2025-43523, CVE-2025-43519, CVE-2025-43521, CVE-2025-46283, CVE-2025-43509, CVE-2025-46282, CVE-2025-43463)
A malicious HID device may cause an unexpected process crash. (CVE-2025-43533)
An app may be able to access a user’s Safari history. (CVE-2025-46277)
Processing maliciously crafted web content may lead to an unexpected Safari crash. (CVE-2025-43541)
Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2025-43536, CVE-2025-43535, CVE-2025-43501, CVE-2025-43531, CVE-2025-43511)
Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report. (CVE-2025-14174)
An app may be able to access protected user data. (CVE-2025-46289, CVE-2025-43517, CVE-2025-46278, CVE-2025-43514, CVE-2025-43416)
An app may be able to cause a denial-of-service. (CVE-2025-43482)
An app may be able to break out of its sandbox. (CVE-2025-46281)
An app may bypass Gatekeeper checks. (CVE-2025-46291)
An app may be able to read sensitive location information. (CVE-2025-43513)
An attacker with physical access may be able to view deleted notes. (CVE-2025-43410)
On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted. (CVE-2025-43526)
A download's origin may be incorrectly associated. (CVE-2024-8906)
A user with Voice Control enabled may be able to transcribe another user's activity. (CVE-2025-43516)
An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges. (CVE-2025-43320)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

[...]

Original source