CVE-2025-24085 Apple WebKit/Safari Active Zero Day
BLUF
CVE-2025-24085 is a high-severity (CVSS 10.0/7.8) zero-day use-after-free vulnerability in Apple’s CoreMedia framework. It allows malicious applications to elevate privileges and gain unauthorized system control. Actively exploited in the wild before its January 2025 patch, it primarily targeted older iOS versions. Apple released emergency patches for an actively exploited vulnerability (CVE-2025-24085) in WebKit, allowing arbitrary code execution via maliciously crafted websites/images.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by active exploitation of CVE-2025-24085 through Apple WebKit/CoreMedia on end-user devices:
· Low-end total cost: $750K – $1.5M
o (Limited devices affected, rapid patching, no data access confirmed)
· Typical expected range: $1.5M – $4M
o (Multiple endpoints compromised, productivity disruption, legal review required)
· Upper-bound realistic scenarios: $4M – $8M
o (Widespread device exposure, delayed patching, regulatory notifications triggered)
Key Cost Drivers
· Size of Apple device footprint and patch latency across fleets
· Number of users requiring device reimaging or replacement
· Confirmation of privilege escalation leading to data access
· Regulatory jurisdiction and reporting obligations
· Cyber insurance deductibles and zero-day exclusions
Targeted Sectors
· Federal enterprise (as per CISA)
· mobile/desktop users
· Organizations utilizing Apple infrastructure.
· Apple device users (iPhones, Macs, iPads).
Countries
· Global
Date of First Reported Activity
· January 19-20, 2026
Date of Last Reported Activity Update
· January 20, 2026
CVE-2025-24085
CVSS 3.1
· (10) AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Nessus ID
· 233570
· 233569
· 214659
· 214658
Is CVE-2025-24085 on the KEV list?
· Yes
What is the CISA patch by date for CVE-2025-24085?
· February 19, 2025
URL to patch information
· hxxps://support.apple.com/en-us/122066
· hxxps://support.apple.com/en-us/122068
· hxxps://support.apple.com/en-us/122071
· hxxps://support.apple.com/en-us/122072
· hxxps://support.apple.com/en-us/122073
APT Group Names
· It has not been publicly announced which APT groups are associated with CVE-2025-24085
Criminal Organizations
· It has not been publicly announced which criminal organizations are associated with CVE-2025-24085
IOCs
· App-Based Delivery
o Exploitation typically occurs via a malicious application already installed on the device or a "fake" app masquerading as a multimedia player.
· "Glass Cage" Campaign
o Recent forensic reports (October 2025) link this CVE to a campaign dubbed "Glass Cage," which utilizes zero-click iMessage vectors to achieve persistent iOS compromise.
· Anomalous Processes
o Look for unauthorized privilege escalation or unusual memory access by media-processing applications.
Tools Used
· Web-based browser exploits.
TTPs
Privilege Escalation (TA0004)
· T1068 Exploitation for Privilege Escalation
o A malicious application installed on the device exploits the use-after-free memory management defect in the CoreMedia component to gain elevated privileges.
Execution (TA0002)
· T1203 Exploitation for Client Execution
o The vulnerability allows an attacker to manipulate freed memory to execute attacker-controlled code. This can be triggered through a "fake app" designed to handle multimedia files.
Defense Evasion (TA0005)
· T1055 Process Injection
o Exploiting use-after-free bugs often involves manipulating memory to inject and execute code within the context of a higher-privileged process.
Malware Names
· This has not been specifically named. CVE-2025-24085 has often been delivered via "FakeUpdates" frameworks or malicious "media player" apps.
Malware Samples
· These will vary greatly
Suggested rules / potential hunts
As a reminder, these are indicator rules. They are likely to be noisy.
For best results consider creating a data model and reviewing the traffic as a report.
Suricata
Monitor for unusual media file types (e.g., .mp4, .mov) delivered from untrusted external sources, as the exploit is often hidden within fake media files.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2025-24085 Core Media Exploit Delivery"; flow:established,to_client; content:"|00 00 00 20 66 74 79 70 6d 70 34 32|"; depth:12; classtype:attempted-admin; sid:202524085; rev:1;)
SentinelOne
Hunt for Privilege Escalation from Media Services:
sql
EventType = "Process Creation" AND
ParentProcessName = "mediaplaybackd" AND
(ProcessName = "sh" OR ProcessName = "zsh" OR ProcessName = "bash")
Repeated crashes of media-related apps followed by shell execution can indicate exploit attempts.
sql
EventType = "App Crash" AND
ProcessName IN ("CoreMedia", "mediaplaybackd")
Splunk
Detection of Elevated Privileges via Sandbox Escape
index=endpoint sourcetype="maccos_unified_logs"
process="mediaplaybackd"
event_message="*sandbox*escape*" OR event_message="*privilege*escalation*"
Use Splunk to identify devices running vulnerable OS versions (below iOS 18.3 or macOS 15.3)
index=inventory sourcetype="os_info"
| eval status=if(match(os_version, "(1[0-7]\..*|18\.[0-2])"), "Vulnerable", "Patched")
| where status="Vulnerable"
| table DeviceName, OS, os_version
Delivery Method
· Social engineering via malicious third-party applications or malicious media files designed to trigger the CoreMedia UAF condition.
References
NVD
· hxxps://nvd.nist.gov/vuln/detail/CVE-2025-24085
SentinelOne
· hxxps://www.sentinelone.com/vulnerability-database/cve-2025-24085/
Tenable
· hxxps://www.tenable.com/cve/CVE-2025-24085/plugins
CISA KEV catalog
· https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24085
Support Apple
· hxxps://support.apple.com/en-us/122066
· hxxps://support.apple.com/en-us/122068
· hxxps://support.apple.com/en-us/122071
· hxxps://support.apple.com/en-us/122072
· hxxps://support.apple.com/en-us/122073
