Apple fixes the zero‑day ImageIO (CVE‑2025‑43300): code execution from images, alert for crypto wallets

Extraordinary updates for iOS, iPadOS, and macOS: a flaw in ImageIO allows remote code execution just by processing an image.

Apple has released iOS/iPadOS 18.6.2 and updates for macOS, confirming exploits in the wild. The impact on user security is significant, especially for those managing wallet crypto.

The industry analysts we collaborate with observe that decoding vulnerabilities like those in ImageIO are often used in targeted campaigns against high-value users (e.g., portfolio operators, journalists, managers).

According to data collected from official security feeds and technical reports updated as of August 25, 2025, public information remains limited, and complete IOCs have not been made available.

What we know so far (recently)

The vulnerability, cataloged as CVE‑2025‑43300, affects the ImageIO framework, which handles the decoding of numerous graphic formats on iPhone, iPad, and Mac.

In the security bulletin for iOS/iPadOS 18.6.2 (released on August 21, 2025), Apple specifies that the flaw has been corrected and that “it is aware of reports of active exploits”.

An independent analysis by Qualys published the first technical details on August 21, 2025, judging the criticality as high. An interesting aspect is the breadth of the attack surface.

In summary: the corrective updates were released on August 21, 2025; investigations continue and the exploit chain can be initiated by parsing an image file in zero‑click or near-zero scenarios.

How the attack works

The flaw is an out‑of‑bounds write type in ImageIO. A specially crafted image can corrupt memory and be exploited to execute arbitrary code with the privileges of the process handling it. The exact vector has not been publicly described, but the most plausible surfaces include:

• previews and automatic decoding of images in iMessage and in other messaging apps;
• image rendering in Safari and in the WebKit engine;
• file preview (Quick Look), Photo gallery, and notifications with multimedia content.

This makes the attack potentially zero‑interaction, a rare and, it must be said, dangerous combination on mobile platforms.

Why crypto wallets are particularly exposed

Attackers often focus on user behaviors. Screenshots of seed phrase, private keys, or QR codes stored in the camera roll can be extracted with OCR and recognition tools.

If the exploit allows access to local data or bypasses permissions, the transition from the device to the funds can be very rapid. In this context, elements that increase the risk are:

• storage of recovery phrases in photos or notes with images;
• app with extended access to the gallery;
• clipboard that retains keys and seed longer than necessary.

Technical data in brief

• CVE: CVE‑2025‑43300
• Component: ImageIO (image decoding)
• Type of bug: out‑of‑bounds write (memory corruption)
• Impact: execution of arbitrary code potentially without interaction
• Platforms involved: iOS, iPadOS, macOS
• Correct versions: iOS/iPadOS 18.6.2; updates for macOS in distribution (Apple Support)
• Exploitation status: exploited in targeted attacks (confirmed by Apple in the bulletin of August 21, 2025)
• Criticality: high according to the analysis by Qualys (published on August 21, 2025)

How to understand if you have been hit

At the moment, there are no specific public Indicators of Compromise (IOC) for CVE‑2025‑43300. However, some prudent signals and checks include:

• anomalous or repeated crashes of Messages, Safari, Photos, or preview processes;
• requests for access to Photos from apps that normally should not need them;
• unusual network activity from gallery or messaging apps when they are inactive;
• presence of unknown configuration profiles in Settings > General > VPN and device management;
• check the diagnostic logs in Settings > Privacy and security > Analysis and improvements > Analysis data, looking for crashes related to ImageIO.

In the absence of public IOCs, the priority remains the installation of updates and the reduction of exposure of sensitive data. It must be said that isolated clues are not enough to confirm a compromise.

Priority Measures (5 Essential Actions)

• Install security updates: Apple indicates iOS/iPadOS 18.6.2 and updates for macOS as corrective releases for CVE‑2025‑43300. See the practical guide to update the device: How to update iOS/iPadOS.
• Limit access to Photos: grant apps only “Selected Photos” access and revoke unnecessary permissions.
• Remove seed and keys from images: delete screenshots of recovery phrases, keys, or QR codes from the camera roll; it is preferable to use offline supports or solutions documented in our guide on cold storage (Cold wallet: practical guide).
• Use cold storage for significant amounts: keeping private keys off connected devices reduces the impact of potential compromises.
• Manage the clipboard: avoid copying seed/keys, frequently clear the clipboard, and disable universal paste if not necessary.

Context and implications for Apple users

In recent months, several zero-day vulnerabilities have been fixed on iOS and macOS. Even when the fix arrives quickly, the distribution and installation times open a window of risk.

For those who safeguard digital assets, the most prudent approach combines timely updates with practices of data-minimization and key segregation. In this context, permission management remains central.

Quick FAQ

When is it convenient to install the update?

As soon as available for your device. Apple reports active exploits (bulletin of August 21, 2025), so the patch is among the current security priorities.

Is the update enough to protect the wallets?

Substantially reduces the risk related to CVE‑2025‑43300, but the protection of funds also requires the removal of seed/keys from the camera roll, more restrictive app permissions, and, for significant amounts, the use of cold wallet.

Which devices are affected?

All Apple devices that process images via ImageIO: iPhone and iPad (iOS/iPadOS) and Mac (macOS). Check in Settings > Software Update for the availability of the latest version.

Sources and insights

• Apple – Security content of iOS 18.6.2 and iPadOS 18.6.2 (bulletin of August 21, 2025; note on exploitation in the wild)
• Qualys ThreatPROTECT – Technical analysis of CVE‑2025‑43300 (published on August 21, 2025)
• NVD (National Vulnerability Database) – CVE‑2025‑43300
• MITRE – CVE‑2025‑43300

Editorial note: at the moment, the Apple bulletin does not publicly display an official CVSS score nor the specific macOS build numbers for all variants; detailed IOCs or the names of the researchers who reported the flaw have not been released. We will update this section as soon as new official publications are available (last content check: August 25, 2025).