CVE-2025-24085

What is Apple Core Media?

Apple Core Media is a low-level framework present on all Apple platforms that handles time-based media processing — video, audio, and subtitles. It underpins AVFoundation (the high-level media framework used by nearly every app that plays or records media) and handles media file parsing, format conversion, and playback pipeline management. Because Core Media is invoked by any application that processes audio or video — including media players, social apps, communication apps, and the OS itself — a vulnerability in Core Media can be triggered by receiving or previewing a malicious media file.

Overview

CVE-2025-24085 is a use-after-free vulnerability (CWE-416, CVSS 10.0 per KEV frontmatter) in Apple Core Media. The vulnerability allows a malicious application to elevate privileges on iOS, macOS, and other Apple platforms. Apple confirmed it was exploited as a zero-day against iOS versions before 17.2 before the January 2025 patch. CISA added it to the KEV catalog on January 29, 2025 — two days after the patch — as the first CISA KEV addition of 2025 for an Apple product.

Affected Versions

Apple noted the zero-day was exploited on "iOS prior to 17.2," indicating the vulnerability existed across multiple iOS generations.

Technical Details

The vulnerability (CWE-416: Use After Free) is in Apple's Core Media framework. A use-after-free occurs when a program continues to use a pointer to memory after that memory has been freed. In Core Media, a timing issue in the media processing pipeline causes certain media objects to be freed while references to them are still held. An attacker-controlled malicious application can trigger this freed-memory access in a way that overwrites the pointer with attacker-controlled data, redirecting execution to attacker-controlled code.

Because Core Media operates with system-level privileges (it is a system framework rather than a user-space library), exploiting the use-after-free allows a malicious application — running with only user-level privileges — to execute code with elevated system privileges. This is a local privilege escalation (LPE) primitive, commonly used as the second stage in a full attack chain: a remote exploit provides initial access (e.g., via a WebKit bug), and CVE-2025-24085 escalates that access to full device compromise.

Discovery

Discovered internally by Apple. No external researcher is credited. Apple confirmed exploitation "against iOS versions prior to 17.2."

Exploitation Context

Apple confirmed CVE-2025-24085 was "actively exploited on iOS versions before iOS 17.2" — indicating the vulnerability was used in targeted attacks for an extended period. The CISA KEV listing on 29 January 2025 (just 2 days post-patch) is consistent with CISA having evidence of government or enterprise-targeting exploitation. This was the first major Apple zero-day of 2025. The pattern (Core Media LPE + potential WebKit initial access) is consistent with sophisticated multi-stage spyware chains used by government-grade vendors.

Remediation

1. Update all Apple devices immediately to iOS/iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, watchOS 11.3, visionOS 2.3.
2. Enable automatic updates to apply future emergency patches without delay.
3. For high-risk individuals: enable Apple Lockdown Mode to reduce the attack surface for initial code execution that would chain with an LPE like this.
4. MDM-managed enterprise fleets: push the update immediately and verify compliance within the 21-day CISA deadline.