CVE-2025-24201

CRITICAL KEV

Safari < 18.3.1 - Out-of-bounds Write via Maliciously Crafted Web Content

Title source: llm

Exploitation Summary

CVE-2025-24201 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 13, 2025. EIP tracks 3 public exploits from researchers including JGoyd, The-Maxu, 5ky9uy.

AI-analyzed exploit summary This repository contains a detailed technical analysis of a zero-click RCE exploit chain (CVE-2025-24085 and CVE-2025-24201) affecting iOS 18.2.1, leveraging malicious PNG files delivered via iMessage to achieve kernel-level compromise.

Description

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Exploits (3)

github WRITEUP 30 stars

by JGoyd · poc

https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201

View Code ZIP pw:eip

This repository contains a detailed technical analysis of a zero-click RCE exploit chain (CVE-2025-24085 and CVE-2025-24201) affecting iOS 18.2.1, leveraging malicious PNG files delivered via iMessage to achieve kernel-level compromise.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: iOS 18.2.1 (WebKit, Core Media, MessagesBlastDoorService)

No auth needed

Prerequisites: iOS 18.2.1 device · iMessage delivery vector · maliciously crafted PNG file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SCANNER 6 stars

by The-Maxu · client-side

https://github.com/The-Maxu/CVE-2025-24201-WebKit-Vulnerability-Detector-PoC-

View Code ZIP pw:eip

This repository contains a proof-of-concept scanner to detect the presence of CVE-2025-24201, an out-of-bounds write vulnerability in WebKit's WebGL implementation. It checks if enabling a WebGL 2-specific capability in a WebGL 1 context fails to generate an error, indicating potential vulnerability.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WebKit-based browsers (e.g., Safari) with WebGL support

No auth needed

Prerequisites: A WebKit-based browser with WebGL support

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 4 stars

by 5ky9uy · poc

https://github.com/5ky9uy/glass-cage-i18-2025-24085-and-cve-2025-24201

View Code ZIP pw:eip

This repository contains a detailed writeup of the Glass Cage exploit chain, which leverages CVE-2025-24201 (WebKit RCE) and CVE-2025-24085 (Core Media privilege escalation) to achieve zero-click remote code execution on iOS 18.2.1 via malicious PNG images sent through iMessage.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: iOS 18.2.1 (WebKit, Core Media)

No auth needed

Prerequisites: Target device running iOS 18.2.1 · Ability to send malicious PNG via iMessage

MITRE ATT&CK