A newly disclosed critical zero-click exploit (CVE-2025-43300) poses a serious threat to Apple devices. The flaw exists in Apple’s RawCamera.bundle, specifically within the JPEG Lossless Decompression implementation, and allows attackers to execute arbitrary code by sending maliciously crafted DNG (Digital Negative) files.
What makes this vulnerability alarming is that no user interaction is required. Simply receiving a malicious image through iMessage, AirDrop, or photo import can trigger the exploit.
Key Takeaways
- Remote Code Execution (RCE) can be achieved via malicious DNG files.
- The flaw has already been observed in real-world targeted attacks.
- Users should update immediately to iOS 18.6.2 or later for protection.
Technical Overview
Security researcher b1n4r1b01 published a detailed proof-of-concept (PoC) and analysis of the vulnerability. The issue arises from a buffer overflow condition in Apple’s RawCamera.bundle when processing DNG images with JPEG lossless compression.
The exploit leverages a metadata mismatch:
- The DNG file declares
SamplesPerPixel = 2in its SubIFD directory. - However, the embedded JPEG SOF3 (Start of Frame 3) block contains only 1 component.
This inconsistency forces the decompression routine to write data outside allocated memory boundaries, enabling attackers to corrupt memory and run arbitrary code.
Proof-of-Concept Details
The PoC exploit requires minimal modification of a legitimate DNG file. Attackers only need to alter two bytes:
- At offset
0x2FD00, change01→02(modifies SamplesPerPixel). - At offset
0x3E40B, change02→01(alters SOF3 component count).
These small changes create the precise mismatch that triggers the vulnerability.
Impact and Risk Factors
| Risk Factors | Details |
|---|---|
| Affected Products | iOS 18.6.1 and earlier, iPadOS 18.6.1 and earlier, macOS Sequoia 15.6.0 and earlier, macOS Sonoma 14.7.7 and earlier, macOS Ventura 13.7.7 and earlier, iPadOS 17.7.9 and earlier |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | Malicious DNG file, no user interaction, automatic image processing enabled |
| Attack Vectors | iMessage, AirDrop, photo import |
| CVSS 3.1 Score | 9.8 (Critical) |
Why It’s Dangerous
The zero-click nature of this exploit makes it especially attractive for surveillance campaigns and state-sponsored attacks. Victims don’t need to click, open, or interact with the malicious file — just receiving it is enough.
Apple has confirmed that this flaw was already exploited in the wild before the patch release, making it a weaponized threat actor tool rather than a theoretical risk.
Mitigation
Apple has patched the issue in:
- iOS 18.6.2
- iPadOS 18.6.2
- macOS Sequoia 15.6.1
- Updates for earlier macOS versions
Organizations and individuals should apply updates immediately and deploy detection mechanisms to monitor for suspicious DNG processing activity.
IOCs (Indicators of Compromise)
| IOC Type | Indicator |
|---|---|
| File Offset | 0x2FD00 → Modified SamplesPerPixel |
| File Offset | 0x3E40B → Altered SOF3 component count |
| File Type | Maliciously crafted DNG files |
| Attack Vector | iMessage, AirDrop, Photo import |
| Exploit Trigger | JPEG Lossless Decompression mismatch |
