Vulnerability News
sysops

A detailed proof-of-concept exploit and comprehensive vulnerability analysis have been released for CVE-2025-43300, a critical zero-click remote code execution flaw affecting Apple’s image processing infrastructure. 

The vulnerability, discovered in Apple’s implementation of JPEG Lossless Decompression within the RawCamera.bundle, allows attackers to achieve code execution without any user interaction through maliciously crafted DNG (Digital Negative) files.

Key Takeaways1. Apple vulnerability via malicious DNG files triggers RCE.2. Used in real-world targeted attacks.3. Update to iOS 18.6.2+ immediately.

Apple Zero-Click Exploit

The vulnerability represents a significant security threat as it enables zero-click exploitation through Apple’s automatic image processing system. 

Researcher b1n4r1b01 published detailed technical analysis and reproduction steps, revealing that the flaw stems from a buffer overflow condition in the JPEG lossless decompression routine within RawCamera.bundle.

The attack mechanism exploits a mismatch between metadata declarations and actual image data. 

Specifically, the vulnerability occurs when a DNG file declares SamplesPerPixel = 2 in its SubIFD directory but contains only 1 component in the SOF3 (Start of Frame 3) block of the embedded JPEG lossless data. 

This inconsistency triggers an out-of-bounds write condition during decompression, allowing attackers to corrupt memory and potentially achieve arbitrary code execution.

The proof-of-concept requires minimal modifications to a legitimate DNG file, making it particularly dangerous. 

Attackers need only alter two specific bytes: changing offset 0x2FD00 from 01 to 02 (modifying SamplesPerPixel) and offset 0x3E40B from 02 to 01 (altering the SOF3 component count). These precise modifications create the critical mismatch that triggers the vulnerability.

The vulnerability exploits fundamental assumptions in Apple’s TIFF/DNG parsing engine and its interaction with JPEG lossless compression. 

DNG files, based on Adobe’s open-source raw image format specification, utilize the TIFF container structure with embedded JPEG lossless compressed image data in SubIFDs.

Risk FactorsDetailsAffected ProductsiOS 18.6.1 and earlieriPadOS 18.6.1 and earliermacOS Sequoia 15.6.0 and earliermacOS Sonoma 14.7.7 and earliermacOS Ventura 13.7.7 and earlieriPadOS 17.7.9 and earlierImpactRemote Code Execution (RCE)Exploit PrerequisitesMaliciously crafted DNG fileNo user interaction requiredAutomatic image processing enabledTarget device processing image via iMessage, AirDrop, or photo importCVSS 3.1 Score9.8 (Critical)

The attack leverages the complex interaction between multiple file format standards. The TIFF header structure contains an Image File Directory (IFD) with 12-byte directory entries specifying tags, types, counts, and values. 

The vulnerability specifically targets the SamplesPerPixel tag (0x0115) within SubIFDs that reference JPEG lossless compressed data marked with the Compression tag value 7.

When the decompression routine processes the JPEG data, it relies on the SOF3 marker (0xFFC3) to determine the actual component structure. The SOF3 segment contains critical metadata, including precision, dimensions, and most importantly, the component count. 

The vulnerability occurs when this component count disagrees with the previously declared SamplesPerPixel value, causing the decompression algorithm to write beyond allocated buffer boundaries.

The RawCamera.bundle, which handles various raw image formats on iOS, lacks symbol information, making reverse engineering challenging. 

However, the researcher notes that not all DNG files with JPEG lossless compression reach the vulnerable code path, requiring specific conditions that align with the proof-of-concept sample provided.

Apple’s security advisory acknowledges that CVE-2025-43300 has been actively exploited in sophisticated attacks targeting specific individuals, elevating this from a theoretical vulnerability to a confirmed threat actor tool. 

The zero-click nature makes it particularly attractive for targeted surveillance operations, as victims require no interaction beyond receiving the malicious file.

The vulnerability affects multiple Apple platforms, including iOS 18.6.1, iPadOS 18.6.1, and various macOS versions. 

Apple has released patches in iOS 18.6.2, iPadOS 18.6.2, macOS Sequoia 15.6.1, and earlier macOS versions. The researcher confirmed that the proof-of-concept does not crash iOS 18.6.2, indicating successful mitigation.

The attack surface extends beyond direct file processing, as DNG files can be automatically processed through various iOS subsystems, including iMessage, AirDrop, and photo import functions. 

Organizations should prioritize immediate patching and implement additional detection mechanisms to identify potential exploitation attempts targeting this critical vulnerability.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Related Posts

Google Security researchers have disclosed a critical vulnerability, tagged as CVE-2024-49415, affecting Samsung smartphones last year and reported to Samsung…

A critical security vulnerability has been discovered in Apache Tika’s PDF parser module that could enable attackers to access sensitive…

Over 7,000 Citrix NetScaler appliances remain unpatched against two critical vulnerabilities: CVE-2025-5777 and CVE-2025-6543.  Despite multiple advisories from Citrix, CISA’s…