CVE-2025-43200

What is Apple iCloud Photo/Video Sharing?

iCloud Links are a native Apple feature that allows users to share photos and videos from the Photos app by generating a URL that recipients can open in a browser or directly in the Photos app on Apple devices. When a recipient opens an iCloud Link, the receiving device fetches and processes the shared media. This media processing — which occurs across iOS, iPadOS, macOS, watchOS, and visionOS — involves Apple's media parsing subsystems to decode image and video formats.

Overview

Apple iOS, iPadOS, macOS, watchOS, and visionOS contain an unspecified vulnerability triggered when a device processes a maliciously crafted photo or video shared via an iCloud Link. A remote unauthenticated attacker can share such a crafted link with a target; if the target opens the link, the media processing on their device can result in disclosure of sensitive information or unintended data modification.

Apple added this to the CISA KEV catalog on the same day as the patch release (June 16, 2025), indicating confirmed in-the-wild exploitation at the time of disclosure.

Affected Versions

Apply the security updates released on June 16, 2025 for your specific Apple platform and version. Consult the linked Apple Security Advisories for the exact version numbers.

Technical Details

Apple has not publicly disclosed detailed technical information about the vulnerability mechanism — this is consistent with Apple's policy of withholding specifics until users have had time to update. Based on the available information:

• Trigger: Processing a maliciously crafted photo or video file shared via an iCloud Link
• Scope: The vulnerability affects Apple's media handling subsystems across five platforms (iOS, iPadOS, macOS, watchOS, visionOS), indicating it is in a shared media processing library used across Apple's operating system family
• Impact: The CVSS vector (AV:N/AC:H/PR:N/UI:R, C:L/I:L/A:N) indicates limited confidentiality and integrity impact with no availability impact — consistent with an information disclosure or memory corruption vulnerability that does not result in full code execution under normal exploitation conditions
• Attack vector: Network delivery via an iCloud Link URL; the attacker must induce the target to open the link

Attack characteristics:

• Remote — the attacker sends the victim a crafted iCloud Link (via iMessage, email, or any messaging platform)
• Requires user interaction — the victim must tap/click the link to trigger media processing
• High attack complexity — some prerequisite condition must be met for reliable exploitation
• No authentication required from the attacker

Discovery

Apple credited an unnamed researcher in the security advisories. The simultaneous KEV addition on the same day as patch release confirms Apple and CISA had evidence of active exploitation at the time of disclosure.

Exploitation Context

Same-day KEV addition is unusual and indicates that exploitation was confirmed in the wild before the patch was released. The iCloud Link delivery mechanism is particularly suited to social engineering attacks: attackers can send a crafted link via iMessage or other messaging services that appear to be a legitimate photo share from a known sender (if the attacker has compromised that sender's account) or from an unknown number.

The breadth of affected platforms (iOS, iPadOS, macOS, watchOS, visionOS) suggests this is a shared media processing library vulnerability, meaning a single crafted media file is effective against users across Apple's device ecosystem.

Remediation

1. Update all Apple devices immediately — apply the June 16, 2025 security updates for iOS, iPadOS, macOS (Sequoia, Sonoma, Ventura), watchOS, and visionOS. Use Settings → General → Software Update on iOS/iPadOS; System Settings → General → Software Update on macOS.
2. Exercise caution with iCloud Links from unknown senders — do not open iCloud photo/video links from unfamiliar or unexpected sources.
3. Enable Lockdown Mode for high-risk users — individuals who may be targeted by sophisticated threat actors should consider enabling Apple's Lockdown Mode, which restricts certain media processing behaviors.
4. Ensure automatic security updates are enabled — on iOS/iPadOS, enable Settings → General → Software Update → Automatic Updates to receive security patches promptly.