The WebKit vulnerability in iOS 18.3.2, tracked as CVE-2025-24201, has been linked to "extremely sophisticated" attacks. These attacks involved maliciously crafted web content that could break out of the Web Content sandbox, potentially allowing unauthorized access to system components. The vulnerability was exploited in targeted attacks against specific individuals using older versions of iOS, specifically those before iOS 17.2, where the issue was initially mitigated[1][4][8].
Apple has described these attacks as highly sophisticated, suggesting they were likely conducted by advanced threat actors, possibly including nation-state entities or sophisticated cyber groups[1][4]. However, Apple has not disclosed specific details about the attacks, such as the identities of the attackers or the targets, in line with its policy of not discussing security issues until patches are available[1][6].
The vulnerability itself is an out-of-bounds write issue within WebKit, which powers Safari and other browsers on iOS and macOS. This flaw allowed attackers to bypass the security sandbox, which is designed to isolate web content and prevent it from accessing sensitive system resources[4][9]. The update to iOS 18.3.2 provides a supplementary fix for this vulnerability, ensuring that devices running the latest software are protected against these sophisticated attacks[3][5].
While the exact nature and scope of these attacks remain unclear, the urgency of the update and the description of the attacks as "extremely sophisticated" underscore the potential severity of the vulnerability and the importance of applying the patch promptly[2][3].
Citations:
[1] https://www.securityweek.com/apple-ships-ios-18-3-2-to-fix-already-exploited-webkit-flaw/
[2] https://www.forbes.com/sites/kateoflahertyuk/2025/03/12/ios-1832-update-now-warning-issued-to-all-iphone-users/
[3] https://www.zdnet.com/article/update-your-iphone-now-ios-18-3-2-patches-a-serious-web-browser-bug/
[4] https://arstechnica.com/security/2025/03/apple-patches-0-day-exploited-in-extremely-sophisticated-attack/
[5] https://www.bitdefender.com/en-us/blog/hotforsecurity/patch-iphone-ios-18-3-2-webkit-hackers-sophisticated-attacks
[6] https://cyberscoop.com/apple-zero-day-patch-march-2025-cve-2025-24201/
[7] https://www.simplymac.com/apps/apple-releases-safari-18-3-1
[8] https://www.bleepingcomputer.com/news/apple/apple-fixes-webkit-zero-day-exploited-in-extremely-sophisticated-attacks/
[9] https://www.techradar.com/pro/security/apple-fixes-dangerous-zero-day-used-in-attacks-against-iphones-and-ipads
[10] https://www.csoonline.com/article/3843999/apple-patches-zero-day-bugs-used-in-targeted-iphone-attacks.html