The U.S. Cybersecurity and Infrastructure Security Agency has added the issue patched in iOS 18.3.2 … [+]
Apple’s iOS 18.3.2 has arrived, including an emergency patch for an iPhone vulnerability already being exploited in real-life attacks. Following the release of iOS 18.3.2, experts weighed in to highlight the importance of updating your iPhone immediately.
Now, the U.S. Cybersecurity and Infrastructure Security Agency has issued its own warning, after adding the flaw patched in iOS 18.3.2 to its known exploited vulnerabilities (KEV) catalog. The agency has given a deadline of Apr. 3 for iPhone users to comply.
The CISA alert covers an out-of-bounds write vulnerability in WebKit, the engine that underpins the Safari browser, which is tracked as CVE-2025-24201.
The flaw fixed in iOS 18.3.2 is present in multiple Apple products. “Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox,” CISA said.
“This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing,” CISA added.
In fact, the same flaw was patched in Google Chrome too, as spotted by Josh Long, Intego’s chief security analyst, who suggests you check Chromium based browsers and Electron apps that rely on the Chromium codebase.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA added in its advisory.
Why You Should Heed CISA’s iOS 18.3.2 Warning
In case you don’t know already, CISA assigns due dates for patching vulnerabilities listed in its KEV catalog, and these vary depending on the specific flaw.
CISA assigns due dates for federal agencies to remediate these vulnerabilities and these should also be used as a benchmark for patching by other organizations.
In the case of iOS 18.3.2, it was already clear that updating is urgent. In its own support document, Apple said the issue is being exploited in “an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”
While the flaw patched in iOS 18.3.2 and other Apple updates is only being used in targeted attacks, it’s only a matter of time before adversaries take advantage more widely. For federal agencies and businesses especially, it’s key to ensure users update to iOS 18.3.2 before the CISA deadline.
