CVE-2025-43300

CRITICAL KEV

iOS <15.8.5, <16.7.12 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-43300 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 21, 2025. EIP tracks 9 public exploits from researchers including hunters-sec, JGoyd, PwnToday.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2025-43300, a critical memory corruption vulnerability in Apple's DNG image processing framework. The exploit leverages inconsistencies between TIFF metadata and JPEG stream parameters to trigger buffer overflows, potentially leading to RCE on iOS/macOS systems.

Description

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12, iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, macOS Ventura 13.7.8. Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

Exploits (9)

nomisec WORKING POC 104 stars
by hunters-sec · local
https://github.com/hunters-sec/CVE-2025-43300

This repository contains a working PoC for CVE-2025-43300, a critical memory corruption vulnerability in Apple's DNG image processing framework. The exploit leverages inconsistencies between TIFF metadata and JPEG stream parameters to trigger buffer overflows, potentially leading to RCE on iOS/macOS systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple iOS 18.6.1 and macOS (RawCamera.bundle)
No auth needed
Prerequisites: Vulnerable iOS/macOS system · Ability to deliver malicious DNG file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 30 stars
by JGoyd · poc
https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201

This repository contains a detailed technical analysis of a zero-click RCE exploit chain (CVE-2025-43300, CVE-2025-24085, CVE-2025-24201) affecting iOS 18.2.1, leveraging malicious PNG files delivered via iMessage to achieve kernel-level compromise, sandbox escape, and persistent device control.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: iOS 18.2.1 (iPhone 14 Pro Max)
No auth needed
Prerequisites: Target device running iOS 18.2.1 · Ability to send iMessage to the target · Maliciously crafted PNG file with embedded HEIF payload
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 5 stars
by PwnToday · poc
https://github.com/PwnToday/CVE-2025-43300

This repository contains a Python script to create a proof-of-concept exploit for CVE-2025-43300, a memory corruption vulnerability in Apple's RawCamera.bundle affecting iOS 18.6.1 and macOS. The exploit manipulates DNG file metadata to trigger a buffer overflow by mismatching TIFF and JPEG Lossless parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple RawCamera.bundle (iOS 18.6.1 and macOS)
No auth needed
Prerequisites: A vulnerable DNG file · Access to a target system running affected iOS/macOS versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 3 stars
by 7amzahard · client-side
https://github.com/7amzahard/CVE-2025-43300

The repository contains an interactive CLI tool for analyzing DNG files for CVE-2025-43300 indicators, including metadata and JPEG stream analysis. It does not contain exploit code but provides functionality to create and modify DNG files for research purposes.

Classification
Scanner 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: DNG (Digital Negative) file format
No auth needed
Prerequisites: DNG file with specific metadata and JPEG streams
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ticofookfook · client-side
https://github.com/ticofookfook/CVE-2025-43300

This PoC demonstrates a buffer overflow vulnerability in DNG file processing due to a mismatch between TIFF metadata (SamplesPerPixel=2) and JPEG data (3 components), leading to remote code execution (RCE). The exploit generates a malformed DNG file that triggers the overflow when parsed.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Software processing DNG files (specific vendor/version not specified)
No auth needed
Prerequisites: Ability to deliver a malformed DNG file to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Dark-life944 · client-side
https://github.com/Dark-life944/CVE-2025

This repository contains a working PoC for CVE-2025-43300, a memory corruption vulnerability in Apple's DNG image processing. It includes tools to analyze and modify DNG files to trigger the vulnerability via metadata/stream inconsistencies.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple iOS 18.6.1 and macOS (RawCamera.bundle)
No auth needed
Prerequisites: A vulnerable DNG file or the ability to modify one · Target system running affected iOS/macOS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP
by danielw98 · htmlpoc
https://github.com/danielw98/zero-click-exploit-analysis

This repository provides a detailed technical analysis of the 2025 WhatsApp/ImageIO zero-click exploit chain (CVE-2025-55177 + CVE-2025-43300), including a research paper, interactive web companion, and hands-on labs for heap/stack exploitation techniques. It includes patch diffs, root cause analysis, and educational resources.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: WhatsApp/ImageIO (iOS)
No auth needed
Prerequisites: knowledge of memory corruption techniques · understanding of iOS security mechanisms
devstral-2 · analyzed Apr 25, 2026 Full analysis →
nomisec WRITEUP
by AR-DEV-1 · poc
https://github.com/AR-DEV-1/CVE-2025-43300-exp

This repository contains a writeup describing CVE-2025-43300, an out-of-bounds write vulnerability in Apple's Image I/O framework affecting iOS, iPadOS, and macOS. The vulnerability allows remote code execution (RCE) via a maliciously crafted image file, with reports of in-the-wild exploitation.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Apple iOS, iPadOS, and macOS (Image I/O framework)
No auth needed
Prerequisites: Maliciously crafted image file · Target device to process the image
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Release Notes, Vendor Advisory
https://support.apple.com/en-us/125141
Release Notes, Vendor Advisory
https://support.apple.com/en-us/125142
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Sep/10
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Sep/14
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Sep/52

Scores

CVSS v3 10.0
EPSS 0.0442
EPSS Percentile 89.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-08-21
VulnCheck KEV 2025-08-20
ENISA EUVD EUVD-2025-25409
CWE
CWE-787
Status published
Products (10)
Apple/iOS and iPadOS < 15.8.5
Apple/iOS and iPadOS < 16.7.12
Apple/iOS and iPadOS < 18.6.2
apple/ipados < 15.8.5
Apple/iPadOS < 17.7.10
apple/iphone_os < 15.8.5
apple/macos < 13.7.8
Apple/macOS < 13.7.8
Apple/macOS < 14.7.8
Apple/macOS < 15.6.1
Published Aug 21, 2025
KEV Added Aug 21, 2025
Tracked Since Feb 18, 2026