Apple Patches Everything: March 31st 2025 Edition
Today, Apple released updates across all its products: iOS, iPadOS, macOS, tvOS, visionOS, Safari, and XCode. WatchOS was interestingly missing from the patch lineup. This is a feature update for the operating systems, but we get patches for 145 different vulnerabilities in addition to new features. This update includes a patch for CVE-2025-24200 and CVE-2025-24201, two already exploited iOS vulnerabilities, for older iOS/iPadOS versions. Current versions received this patch a few weeks ago.
| Safari 18.4 | Xcode 16.3 | iOS 18.4 and iPadOS 18.4 | iPadOS 17.7.6 | iOS 16.7.11 and iPadOS 16.7.11 | iOS 15.8.4 and iPadOS 15.8.4 | macOS Sequoia 15.4 | macOS Sonoma 14.7.5 | macOS Ventura 13.7.5 | tvOS 18.4 | visionOS 2.4 |
|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-40864: An attacker in a privileged network position can track a user's activity. Affects Apple Account |
||||||||||
| x | x | |||||||||
| CVE-2024-54502: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
||||||||||
| x | ||||||||||
| CVE-2024-54508: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
||||||||||
| x | ||||||||||
| CVE-2024-54533: An app may be able to access sensitive user data. Affects Spotlight |
||||||||||
| x | x | |||||||||
| CVE-2024-54534: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit |
||||||||||
| x | ||||||||||
| CVE-2025-24093: An app may be able to access removable volumes without user consent. Affects Sandbox |
||||||||||
| x | ||||||||||
| CVE-2025-24095: An app may be able to bypass Privacy preferences. Affects RepairKit |
||||||||||
| x | x | |||||||||
| CVE-2025-24097: An app may be able to read arbitrary file metadata. Affects AirDrop |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24113: Visiting a malicious website may lead to user interface spoofing. Affects Safari |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-24139: Parsing a maliciously crafted file may lead to an unexpected app termination. Affects sips |
||||||||||
| x | ||||||||||
| CVE-2025-24148: A malicious JAR file may bypass Gatekeeper checks. Affects LaunchServices |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24157: An app may be able to cause unexpected system termination or corrupt kernel memory. Affects Xsan |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24163: Parsing a file may lead to an unexpected app termination. Affects CoreAudio |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24164: An app may be able to modify protected parts of the file system. Affects PackageKit |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24167: A download's origin may be incorrectly associated. Affects Safari |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24170: An app may be able to gain root privileges. Affects CoreServices |
||||||||||
| x | x | |||||||||
| CVE-2025-24172: "Block All Remote Content" may not apply for all mail previews. Affects Mail |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24173: An app may be able to break out of its sandbox. Affects Power Services |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-24178: An app may be able to break out of its sandbox. Affects libxpc |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-24180: A malicious website may be able to claim WebAuthn credentials from another website that shares a registrable suffix. Affects Authentication Services |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24181: An app may be able to access protected user data. Affects Sandbox |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24182: Processing a maliciously crafted font may result in the disclosure of process memory. Affects CoreText |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24190: Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory. Affects CoreMedia |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-24191: An app may be able to modify protected parts of the file system. Affects RPAC |
||||||||||
| x | ||||||||||
| CVE-2025-24192: Visiting a website may leak sensitive data. Affects Web Extensions |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24193: An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos. Affects MobileLockdown |
||||||||||
| x | ||||||||||
| CVE-2025-24194: Processing maliciously crafted web content may result in the disclosure of process memory. Affects libnetcore |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24195: A user may be able to elevate privileges. Affects Libinfo |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24196: An attacker with user privileges may be able to read kernel memory. Affects Kernel |
||||||||||
| x | x | |||||||||
| CVE-2025-24198: An attacker with physical access may be able to use Siri to access sensitive user data. Affects Siri |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-24199: An app may be able to cause a denial-of-service. Affects Foundation |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24200: A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.. Affects Accessibility |
||||||||||
| x | x | |||||||||
| CVE-2025-24201: Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.). Affects WebKit |
||||||||||
| x | x | |||||||||
| CVE-2025-24202: An app may be able to access sensitive user data. Affects Accessibility |
||||||||||
| x | x | |||||||||
| CVE-2025-24203: An app may be able to modify protected parts of the file system. Affects Kernel |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24204: An app may be able to access protected user data. Affects Kernel |
||||||||||
| x | ||||||||||
| CVE-2025-24205: An app may be able to access user-sensitive data. Affects Siri |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-24207: An app may be able to enable iCloud storage features without user consent. Affects Storage Management |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24208: Loading a malicious iframe may lead to a cross-site scripting attack. Affects WebKit |
||||||||||
| x | x | |||||||||
| CVE-2025-24209: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-24210: Parsing an image may lead to disclosure of user information. Affects ImageIO |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-24211: Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory. Affects CoreMedia |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-24212: An app may be able to break out of its sandbox. Affects Calendar |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-24213: A type confusion issue could lead to memory corruption. Affects WebKit |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-24214: An app may be able to access sensitive user data. Affects Siri |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24215: A malicious app may be able to access private information. Affects CloudKit |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-24216: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-24217: An app may be able to access sensitive user data. Affects Siri |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24218: An app may be able to access information about a user's contacts. Affects Summarization Services |
||||||||||
| x | ||||||||||
| CVE-2025-24221: Sensitive keychain data may be accessible from an iOS backup. Affects Accounts |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24226: A malicious app may be able to access private information. Affects IDE Assets |
||||||||||
| x | ||||||||||
| CVE-2025-24228: An app may be able to execute arbitrary code with kernel privileges. Affects SMB |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24229: A sandboxed app may be able to access sensitive user data. Affects Installer |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24230: Playing a malicious audio file may lead to an unexpected app termination. Affects CoreAudio |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-24231: An app may be able to modify protected parts of the file system. Affects Software Update |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24232: A malicious app may be able to access arbitrary files. Affects NSDocument |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24233: A malicious app may be able to read or write to protected files. Affects AppleMobileFileIntegrity |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24234: A malicious app may be able to gain root privileges. Affects AccountPolicy |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24235: A remote attacker may be able to cause unexpected app termination or heap corruption. Affects Kerberos Helper |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24236: An app may be able to access sensitive user data. Affects CoreMedia |
||||||||||
| x | x | |||||||||
| CVE-2025-24237: An app may be able to cause unexpected system termination. Affects BiometricKit |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-24238: An app may be able to gain elevated privileges. Affects libxpc |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-24239: An app may be able to access protected user data. Affects AppleMobileFileIntegrity |
||||||||||
| x | ||||||||||
| CVE-2025-24240: An app may be able to access user-sensitive data. Affects StorageKit |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24241: An app may be able to trick a user into copying sensitive data to the pasteboard. Affects WindowServer |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24242: An app with root privileges may be able to access private information. Affects System Settings |
||||||||||
| x | ||||||||||
| CVE-2025-24243: Processing a maliciously crafted file may lead to arbitrary code execution. Affects Audio |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-24244: Processing a maliciously crafted font may result in the disclosure of process memory. Affects Audio |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-24245: A malicious app may be able to access a user's saved passwords. Affects Authentication Services |
||||||||||
| x | ||||||||||
| CVE-2025-24246: An app may be able to access user-sensitive data. Affects OpenSSH |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24247: An attacker may be able to cause unexpected app termination. Affects WindowServer |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24248: An app may be able to enumerate devices that have signed into the user's Apple Account. Affects Siri |
||||||||||
| x | ||||||||||
| CVE-2025-24249: An app may be able to check the existence of an arbitrary path on the file system. Affects Installer |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24250: A malicious app acting as a HTTPS proxy could get access to sensitive user data. Affects Security |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24253: An app may be able to access protected user data. Affects StorageKit |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24254: A user may be able to elevate privileges. Affects Software Update |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24255: An app may be able to break out of its sandbox. Affects Disk Images |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24256: An app may be able to disclose kernel memory. Affects GPU Drivers |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24257: An app may be able to cause unexpected system termination or write kernel memory. Affects IOGPUFamily |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24259: An app may be able to retrieve Safari bookmarks without an entitlement check. Affects Parental Controls |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24260: An attacker in a privileged position may be able to perform a denial-of-service. Affects smbx |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24261: An app may be able to modify protected parts of the file system. Affects PackageKit |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24262: A sandboxed app may be able to access sensitive user data in system logs. Affects Notes |
||||||||||
| x | ||||||||||
| CVE-2025-24263: An app may be able to observe unprotected user data. Affects StickerKit |
||||||||||
| x | ||||||||||
| CVE-2025-24264: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
||||||||||
| x | ||||||||||
| CVE-2025-24265: An app may be able to cause unexpected system termination. Affects Xsan |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24266: An app may be able to cause unexpected system termination. Affects Xsan |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24267: An app may be able to gain root privileges. Affects DiskArbitration |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24269: An app may be able to cause unexpected system termination. Affects SMB |
||||||||||
| x | ||||||||||
| CVE-2025-24272: An app may be able to modify protected parts of the file system. Affects AppleMobileFileIntegrity |
||||||||||
| x | ||||||||||
| CVE-2025-24273: An app may be able to cause unexpected system termination or corrupt kernel memory. Affects GPU Drivers |
||||||||||
| x | ||||||||||
| CVE-2025-24276: A malicious app may be able to access private information. Affects App Store |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24277: An app may be able to gain root privileges. Affects Crash Reporter |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24278: An app may be able to access protected user data. Affects System Settings |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24279: An app may be able to access contacts. Affects Voice Control |
||||||||||
| x | x | x | ||||||||
| CVE-2025-24280: An app may be able to access user-sensitive data. Affects Shortcuts |
||||||||||
| x | x | |||||||||
| CVE-2025-24281: An app may be able to access sensitive user data. Affects FeedbackLogger |
||||||||||
| x | ||||||||||
| CVE-2025-24282: An app may be able to modify protected parts of the file system. Affects Software Update |
||||||||||
| x | ||||||||||
| CVE-2025-24283: An app may be able to access sensitive user data. Affects Focus |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30424: Deleting a conversation in Messages may expose user contact information in system logging. Affects Photos Storage |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30425: A malicious website may be able to track users in Safari private browsing mode. Affects WebKit |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-30426: An app may be able to enumerate a user's installed apps. Affects NetworkExtension |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-30427: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-30428: Photos in the Hidden Photos Album may be viewed without authentication. Affects Photos |
||||||||||
| x | x | |||||||||
| CVE-2025-30429: An app may be able to break out of its sandbox. Affects Calendar |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-30430: Password autofill may fill in passwords after failing authentication. Affects Authentication Services |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30432: A malicious app may be able to attempt passcode entries on a locked device and thereby cause escalating time delays after 4 failures. Affects Kernel |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-30433: A shortcut may be able to access files that are normally inaccessible to the Shortcuts app. Affects Shortcuts |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-30434: Processing a maliciously crafted file may lead to a cross site scripting attack. Affects Journal |
||||||||||
| x | ||||||||||
| CVE-2025-30435: A sandboxed app may be able to access sensitive user data in system logs. Affects Siri |
||||||||||
| x | ||||||||||
| CVE-2025-30437: An app may be able to corrupt coprocessor memory. Affects IOMobileFrameBuffer |
||||||||||
| x | ||||||||||
| CVE-2025-30438: A malicious app may be able to dismiss the system notification on the Lock Screen that a recording was started. Affects Share Sheet |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-30439: An attacker with physical access to a locked device may be able to view sensitive user information. Affects Focus |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30441: An app may be able to overwrite arbitrary files. Affects Instruments |
||||||||||
| x | ||||||||||
| CVE-2025-30443: An app may be able to access user-sensitive data. Affects AppleMobileFileIntegrity |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30444: Mounting a maliciously crafted SMB network share may lead to system termination. Affects SMB |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30446: A malicious app with root privileges may be able to modify the contents of system files. Affects PackageKit |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30447: An app may be able to access sensitive user data. Affects Foundation |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-30449: An app may be able to gain root privileges. Affects StorageKit |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30450: An app may be able to access sensitive user data. Affects manpages |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30451: An app may be able to access sensitive user data. Affects FaceTime |
||||||||||
| x | ||||||||||
| CVE-2025-30452: An input validation issue was addressed. Affects Sandbox |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30454: A malicious app may be able to access private information. Affects CoreMedia Playback |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-30455: A malicious app may be able to access private information. Affects Dock |
||||||||||
| x | x | |||||||||
| CVE-2025-30456: An app may be able to gain root privileges. Affects DiskArbitration |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-30457: A malicious app may be able to create symlinks to protected regions of the disk. Affects SystemMigration |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30458: An app may be able to read files outside of its sandbox. Affects SceneKit |
||||||||||
| x | ||||||||||
| CVE-2025-30460: An app may be able to access protected user data. Affects Automator |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30461: An app may be able to access protected user data. Affects Foundation |
||||||||||
| x | ||||||||||
| CVE-2025-30462: Apps that appear to use App Sandbox may be able to launch without restrictions. Affects dyld |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30463: An app may be able to access sensitive user data. Affects Handoff |
||||||||||
| x | x | |||||||||
| CVE-2025-30464: An app may be able to cause unexpected system termination or corrupt kernel memory. Affects GPU Drivers |
||||||||||
| x | x | |||||||||
| CVE-2025-30465: A shortcut may be able to access files that are normally inaccessible to the Shortcuts app. Affects Shortcuts |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-30467: Visiting a malicious website may lead to address bar spoofing. Affects Safari |
||||||||||
| x | x | x | ||||||||
| CVE-2025-30469: A person with physical access to an iOS device may be able to access photos from the lock screen. Affects Photos |
||||||||||
| x | ||||||||||
| CVE-2025-30470: An app may be able to read sensitive location information. Affects Maps |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-30471: A remote user may be able to cause a denial-of-service. Affects Security |
||||||||||
| x | x | x | x | x | x | x | ||||
| CVE-2025-31182: An app may be able to delete files for which it does not have permission. Affects libxpc |
||||||||||
| x | x | x | x | x | x | |||||
| CVE-2025-31183: An app may be able to access sensitive user data. Affects Siri |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-31184: An app may gain unauthorized access to Local Network. Affects Web Extensions |
||||||||||
| x | x | x | x | |||||||
| CVE-2025-31187: An app may be able to modify protected parts of the file system. Affects Dock |
||||||||||
| x | x | x | ||||||||
| CVE-2025-31188: An app may be able to bypass Privacy preferences. Affects StorageKit |
||||||||||
| x | x | x | ||||||||
| CVE-2025-31191: An app may be able to access sensitive user data. Affects CoreServices |
||||||||||
| x | x | x | x | x | ||||||
| CVE-2025-31192: A website may be able to access sensor information without user consent. Affects Safari |
||||||||||
| x | x | x | ||||||||
| CVE-2025-31194: A Shortcut may run with admin privileges without authentication. Affects Shortcuts |
||||||||||
| x | x | x | ||||||||
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Apache Camel Exploit Attempt by Vulnerability Scan (CVE-2025-27636, CVE-2025-29891)
About three weeks ago, Apache patched two vulnerabilities in Apache Camel. The two vulnerabilities (CVE-2025-27636 and CVE-2025-29891) may lead to remote code execution, but not in the default configuration. The vulnerability is caused by Apache Camel using case-sensitive filters to restrict which headers may be used. However HTTP headers are not case-sensitive, and an attacker may trivially bypass the filter.
At this point, the attempts we see originate from authorized vulnerability scanners. I do not call this "exploited" yet, but the exploit is trivial, and actual exploitation is likely, but the number of vulnerable systems is likely small. The vulnerability is still interesting because (a) It uses HTTP headers, and I am currently focusing on HTTP headers (b) it is trivial to exploit.
Here is a sample request:
Host: [victim IP]:9000
Accept-Charset: iso-8859-1,*,utf-8
Pragma: no-cache
camelexeccommandargs: -c 5 -p 5f4f70656e564153565439313338305f [IP address redacted]
camelexeccommandexecutable: ping
User-Agent: [vulnerability scanner]
Connection: Keep-Alive
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Cache-Control: no-cache
Accept-Language: en
Why do I believe that these are authorized vulnerability scans?
- The target IP of the "ping" is an internal IP address
- The User-Agent is the name of a well respected security company (redacted to protect the innocent)
- The victim IP is also an internal IP address.
- the hexadecimal ping payload decodes to "_OpenVASVT91380_". OpenVAS is an open source vulnerability scanner unsuitable for typical internet wide scans done by attackers we usually observe.
Could this still be an actual attack? Sure. Everything is possible. But it is very unlikely that an attacker would spoof this user agent, and this attacker would already be "inside" the network.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Keywords: apache camel
0 comment(s)ISC Stormcast For Monday, March 31st, 2025 https://isc.sans.edu/podcastdetail/9386
Comments