Exploitation Summary
CVE-2025-24085 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 29, 2025. EIP tracks 3 public exploits from researchers including Mohammed Idrees Banyamer, JGoyd, 5ky9uy.
AI-analyzed exploit summary This exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute arbitrary commands with root privileges. It creates a root payload script that adds a root shell binary, creates an admin user, and installs a persistent LaunchDaemon backdoor for root access.
Description
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.6, macOS Sequoia 15.3, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.3, visionOS 2.3, watchOS 11.3. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.
Exploits (3)
This exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute arbitrary commands with root privileges. It creates a root payload script that adds a root shell binary, creates an admin user, and installs a persistent LaunchDaemon backdoor for root access.
This repository contains a detailed writeup of the Glass Cage exploit chain targeting iOS 18.2.1, which involves a zero-click PNG-based attack leveraging CVE-2025-24085 (Core Media privilege escalation) and CVE-2025-24201 (WebKit RCE). The attack chain is described as being used in the wild and includes steps for achieving root access and persistence.
This repository contains a detailed technical analysis of a zero-click RCE exploit chain (CVE-2025-24085 and CVE-2025-24201) targeting iOS 18.2.1 via malicious PNG files sent through iMessage. The report includes exploit chain breakdown, log evidence, and mitigation recommendations.
References (23)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H