What is the CVSS score of CVE-2025-24201?

CVE-2025-24201 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Apple are affected by CVE-2025-24201?

Organizations using An out-of-bounds write face critical risk from CVE-2025-24201, a out-of-bounds write vulnerability rated CVSS 10.0.. A patch is available.

Is CVE-2025-24201 being actively exploited?

Yes, CVE-2025-24201 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-24201?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Apple CVE-2025-24201

CRITICAL

Out-of-bounds Write (CWE-787)

2025-03-11 product-security@apple.com

Buffer Overflow Memory Corruption Apple

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

Apr 03, 2026 - 11:45 cisa

CISA KEV

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 19:52 vuln.today

CVE Published

Mar 11, 2025 - 18:15 nvd

CRITICAL 10.0

DescriptionNVD

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1, watchOS 11.4, iPadOS 17.7.6, iOS 16.7.11 and iPadOS 16.7.11, iOS 15.8.4 and iPadOS 15.8.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

AnalysisAI

A critical out-of-bounds write in WebKit's rendering engine allows maliciously crafted web content to escape the Web Content sandbox, achieving native code execution on Apple devices. Rated CVSS 10.0 and KEV-listed, CVE-2025-24201 is a supplementary fix for a previously patched vulnerability that was being actively exploited in extremely sophisticated targeted attacks. Affects all Apple platforms: iOS, iPadOS, macOS, Safari, visionOS, and watchOS.

Technical ContextAI

This is a sandbox escape vulnerability in WebKit's rendering pipeline. Unlike typical WebKit memory corruption bugs that execute code within the sandboxed Web Content process, this vulnerability breaks the sandbox boundary, allowing attacker code to run with the privileges of the parent process. Apple described this as a 'supplementary fix' for a previously addressed issue, suggesting the original patch was incomplete. The sandbox escape makes this significantly more dangerous than standard browser RCE vulnerabilities.

RemediationAI

Update all Apple devices immediately. iOS/iPadOS 18.3.2+, macOS Sequoia 15.3.2+, Safari 18.3.1+. This is a sandbox escape with confirmed in-the-wild exploitation — treat as emergency priority. Organizations should push MDM updates and verify compliance.