Apple Zero-Day Under Active Exploitation (CVE-2025-6558)
Apple has disclosed a critical zero-day vulnerability affecting multiple versions of iOS, iPadOS, and macOS — now tracked as CVE‑2025‑6558. This vulnerability is currently being actively exploited in the wild, with attackers using it as part of highly targeted spyware campaigns.
Overview of CVE‑2025‑6558
- CVE ID: CVE‑2025‑6558
- Type: Privilege Escalation (Kernel-level)
- Impact: Full device compromise via malicious apps
- Status: Zero-day, patched on August 7, 2025
- Exploitation: Confirmed active use in targeted campaigns
Technical Analysis
CVE‑2025‑6558 is a kernel memory corruption flaw triggered through malicious apps that bypass Apple’s App Store review mechanisms. The vulnerability allows arbitrary code execution with kernel privileges, effectively granting attackers full access to:
- User data (messages, emails, photos)
- Location tracking
- Microphone and camera
- Keychain passwords
Threat actors are believed to have used this vulnerability in conjunction with social engineering and spyware delivery frameworks such as Pegasus-like toolkits.
Affected Devices
| Platform | Affected Versions |
|---|---|
| iOS | 17.4 and earlier |
| iPadOS | 17.4 and earlier |
| macOS | Ventura 13.5 and earlier |
| watchOS / tvOS | Under Review |
Apple released iOS 17.5, iPadOS 17.5, and macOS 13.6 with the fix.
🛠️ Immediate Actions
🔄 Update Devices Immediately
Apple users should install the latest security patches released on August 7, 2025, which address the issue across all supported devices.
🧹 Check for Unknown Apps
Users should audit their devices for suspicious applications and remove any unknown or unverified software, especially those sideloaded outside of the App Store.
🔐 Use Lockdown Mode (if available)
For high-risk individuals, Apple’s Lockdown Mode can block exploitation vectors used in this campaign.
Threat Actor Attribution
According to independent researchers from Mandiant and Citizen Lab, the zero-day has been used against journalists, human rights activists, and government officials in regions with known spyware activity.
No direct attribution has been made, but the exploit chains used show similarities to NSO Group, Candiru, and APT-C-62 tradecraft.
Detection & Forensics
- Monitor unusual data access patterns (messages, photos, camera)
- Use Apple’s “Device Analytics & Privacy” logs for anomalies
- Inspect for third-party kernel extensions or unauthorized profiles
For EDR/XDR Analysts:
- Watch for applications exploiting
/private/var/...memory leaks - Scan crash logs for unknown memory access errors and suspicious IPC calls
Conclusion
CVE‑2025‑6558 represents another stark reminder of the sophistication and speed at which threat actors exploit mobile ecosystems. Even with Apple’s robust defenses, zero-click and minimal-touch attack chains remain viable in high-value operations.
Security teams must adopt a defense-in-depth strategy, prioritize mobile EDR tools, and implement device patching SLAs to reduce exposure to rapidly evolving zero-day threats.