Apple has released iOS 18.6.2 and iPadOS 18.6.2 along with macOS Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8 to fix a zero-day in the ImageIO framework that was exploited in the wild.
Per Apple, processing a malicious image could corrupt memory, enabling code execution, and the company is aware of a report of use in an extremely sophisticated attack targeting specific individuals.
The flaw sits in ImageIO, the component that parses common image formats, which makes delivery via everyday channels, including messaging apps and web content, straightforward from an attacker’s perspective. As security outlets reported, the bug is tracked as CVE-2025-43300 and stems from an out-of-bounds write that Apple addressed with improved bounds checking.
The crypto angle is direct. Wallet owners often copy and paste recipient addresses, and many keep recovery phrases in screenshots or photo storage for convenience. Research this year documented families of mobile spyware and stealers that scan galleries using optical character recognition and exfiltrate images with seed phrases, as well as strains that monitor the clipboard to swap addresses during a transaction.
As Kaspersky reported, SparkCat and its successor SparkKitty used OCR to harvest seed phrases from photos on both iOS and Android, including samples observed on official app stores.
A compromise achieved through a booby-trapped image can, therefore, act as an initial foothold to enable gallery scraping for recovery phrases, surveillance of crypto app activity, and clipboard hijacking during on-chain transfers. Previous research on clipboard hijackers explains how address strings are silently replaced to redirect funds during copy-paste, a tactic long used by drainer operations.
The current incident also fits a pattern of high-value iOS exploit chains used against targeted users. In 2023, Citizen Lab documented a zero-click chain, dubbed Blastpass, used to deliver commercial spyware, demonstrating how image and message parsing bugs can be linked for device takeover without user interaction.
That historical baseline, coupled with Apple’s acknowledgment of real-world use in the present case, frames the risk for crypto users who rely on mobile devices as primary signing endpoints.
Impact spans recent iPhone models and iPads covered by iOS 18 and iPadOS 18, including iPhone XS and later, plus supported Macs on Sequoia, Sonoma, and Ventura. Users can verify protection by confirming iOS or iPadOS 18.6.2, macOS Sequoia 15.6.1, Sonoma 14.7.8, or Ventura 13.7.8 in Settings, then rebooting after installation.
Security outlets urged immediate updates following Apple’s release and disclosure.
For a crypto-savvy audience, the operational takeaway is to close exposure by updating and to reduce post-exploit blast radius by moving seed storage off photo libraries, reviewing app photo permissions, limiting clipboard access, and treating mobile wallets as hot environments with strict hygiene.
Apple’s notes state the root cause was an out-of-bounds write in ImageIO that is now mitigated with stricter bounds checks, and the company confirmed exploitation reports when shipping the patch.
Mentioned in this article
Source: https://cryptoslate.com/apple-patches-ios-zero-day-that-put-crypto-wallets-at-risk-via-malicious-images/