Apple Releases Emergency iOS Update to Patch Zero-Day Flaw Exploited by NSO Group

Security researchers have uncovered a critical zero-day vulnerability in Apple’s iOS ecosystem, exploited by the notorious NSO Group to deploy Pegasus spyware on high-profile targets including journalists and activists. The flaw, tracked as CVE-2025-12345, allowed remote code execution through malicious SMS messages without user interaction, bypassing sandbox protections in the Messages app. Apple responded with iOS 18.3.1, urging immediate updates to over 1.5 billion devices worldwide to neutralize the threat amid escalating concerns over state-sponsored surveillance.

The vulnerability resides in the CoreMedia framework’s handling of specially crafted media attachments, enabling attackers to chain it with a WebKit sandbox escape for full device compromise. Discovered by Citizen Lab at the University of Toronto, the exploit targeted iPhone 14 and 15 models running iOS 18.2, with evidence of deployment against 12 individuals in the Middle East and Europe since September 2025. NSO Group, an Israeli firm blacklisted by the U.S. Commerce Department in 2021, customized the payload to extract contacts, location data, and microphone access, persisting even after reboots via a kernel-level implant.

Apple’s patch deploys mitigations including pointer authentication enhancements and stricter attachment validation, reducing the attack surface by 40 percent according to internal testing. The update weighs 450 megabytes and includes under-the-hood fixes for WebKit’s JavaScriptCore engine, addressing a separate use-after-free bug reported via the company’s Security Bounty program. Participants received $2 million in rewards, the highest payout to date, for chainable zero-days under Apple’s $1 million per-vulnerability tier introduced in 2023.

This incident marks the third Pegasus-linked iOS breach in 2025, following exploits in May and August that compromised WhatsApp and iMessage respectively. NSO’s toolset, licensed to governments for $10 million per deployment, has infected over 50,000 devices globally per Amnesty International estimates, with 80 percent targeting non-criminal users. The spyware’s modular architecture supports 15 payloads, including camera hijacking and keylogging, all exfiltrated via encrypted channels to command-and-control servers in Cyprus.

U.S. officials, through the Cybersecurity and Infrastructure Security Agency, issued alerts on December 10, 2025, recommending enterprise admins enforce automatic updates and monitor for anomalous network traffic on ports 443 and 8080. The exploit’s indicators of compromise include a 5-kilobyte plist file masquerading as a system diagnostic log, detectable via tools like Mobile Verification Toolkit. Apple’s transparency report for Q4 2025 documents 45 threat notifications sent to affected users, up 25 percent from the prior quarter.

For developers, the patch enforces stricter entitlements for third-party apps accessing media libraries, impacting frameworks like AVFoundation used in 70 percent of iOS video apps. Security firm Lookout analyzed the chain, noting its reliance on a novel return-oriented programming technique to pivot from userland to kernel space in under 10 milliseconds. NSO has not commented, but a leaked internal memo obtained by Haaretz reveals ongoing R&D for iOS 19 targets, focusing on passkey vulnerabilities.

This breach underscores the cat-and-mouse dynamic in mobile security, where zero-days fetch $5 million on gray markets per Zerodium pricing. Apple’s silicon integration, with Secure Enclave processing for biometric data, thwarted 60 percent of the spyware’s persistence attempts, limiting data theft to 48 hours post-infection. As iOS commands 28 percent of the global smartphone market per IDC’s Q3 2025 data, the update’s rollout via over-the-air delivery reached 85 percent adoption within 24 hours, averting widespread compromise.

Broader implications extend to enterprise fleets, where 40 percent of Fortune 500 firms rely on iOS for executive communications. The CISA advisory ties the attack to a Saudi-linked operation, echoing the 2018 Jamal Khashoggi case where Pegasus played a role. Mitigation strategies now include endpoint detection agents scanning for unsigned binaries exceeding 100 kilobytes, a threshold breached by the implant. With iOS 19 slated for June 2026 featuring hardware-rooted memory tagging, Apple aims to shrink the zero-day window to under 30 days through automated fuzzing of 10 billion inputs daily.