๐ŸŸข CVE-2025-43520

CVE-2025-43520 is a memory corruption vulnerability in Apple operating systems that allows malicious applications to cause system termination or write kernel memory. This is a local privilege escalation vulnerability requiring a malicious application to already be running on the device.

โ† Back to Overview
LOW_RISK
Risk Level
5.5
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 โ€” Exploitation for Privilege Escalation
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

๐Ÿ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-12-12

Added to CISA KEV: 2026-03-20 98 DAYS BETWEEN CVE AND KEV

๐ŸŽฏ Recommendations:

๐Ÿ” Web Intelligence (Kagi ยท 2026-06-04)

CVE-2025-43520 is a critical kernel-level memory corruption vulnerability (specifically a buffer overflow) affecting various Apple operating systems [3] [7].

Active Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability has been identified as being actively exploited in the wild [6].
  • Threat Actor Usage: It is a key component of the "DarkSword" exploit kit, which has been observed using multiple vulnerabilities (including zero-days) to achieve full device compromise [1].
Attack Method and Requirements
  • Method: The flaw is a classic buffer overflow (CWE-120) resulting from improper memory handling in the kernel [3] [7].
  • Requirements: Exploitation typically involves a malicious application running on the device [2]. It is often used in the final stages of an exploit chain to escalate privileges after initial access has been gained via other vectors (such as WebKit flaws) [1].
Impact and Access
  • Impact: Successful exploitation allows an attacker to cause unexpected system termination (crashes) or, more severely, to write arbitrary data to kernel memory [2] [7].
  • Access: This provides the attacker with kernel privilege escalation, arbitrary read/write capabilities, and the ability to perform arbitrary function calls, effectively granting them deep control over the affected device [1].
Ransomware and Targeted Attacks
  • While the DarkSword exploit kit is highly sophisticated and used for full device compromise, reports primarily associate it with advanced persistent threat (APT) or targeted surveillance-style operations rather than traditional, broad-spectrum ransomware campaigns [1].
Proof-of-Concept and Availability
  • Technical details and analysis of the vulnerability, including its role in the DarkSword kit, are publicly available in security research reports and GitHub Gists (e.g., `DarkSword` analysis) [4] [3].
Affected Products and Mitigation
  • Affected Products: The vulnerability affects a wide range of Apple products, including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS [2].
  • Patch Status: Apple has addressed this issue in later OS releases, such as iOS 18.7.2 and iPadOS 18.7.2 [5]. Users are strongly advised to update to the latest available software versions to mitigate this risk.

Sources

  1. DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device ...

    In the final stage, a kernel privilege escalation flaw (CVE-2025-43520) is leveraged to obtain arbitrary read/write and arbitrary function call capabilities inside mediaplaybackd, and ultimately execute the injected JavaScript code.

  2. CVE-2025-43520: Medium Vulnerability in Apple Multiple Products

    CVE-2025-43520 is a medium-severity vulnerability affecting multiple Apple products, including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. This vulnerability allows a memory corruption issue that could enable a malicious application to cause unexpected system termination or write kernel memory.

  3. WebKit and Kernel Vulnerabilities and DarkSword Exploit | Threat Intel

    CVE-2025-43520 (CVSS 8.8) is a classic buffer overflow vulnerability in the kernel. It occurs due to improper memory handling, allowing a ...

  4. CVE-2025-43520.txt - GitHub Gist

    CVE-2025-43520 - DarkSword. 1. cluster_read_ext and cluster_write_ext call cluster_io_type to determine what IO operation to perform.

  5. CVE-2025-43520 Detail - NVD

    Description. A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS ...

  6. Apple DarkSword Buffer Overflow โ€” Actively Exploited iOS/macOS ...

    Apple patched a nasty memory bug โ€” a classic buffer overflow โ€” that allowed a malicious app to crash your device or, worse, write directly into ...

  7. CVE-2025-43520 - Vulnerability Details - OpenCVE

    A memory corruption flaw identified as a buffer overflow (CWEโ€‘120) allows a malicious application to overwrite kernel memory. The improper handling of memory can trigger unexpected system termination or enable the attacker to write arbitrary data to the kernel, potentially destabilizing the device oโ€ฆ

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

๐Ÿ“„ Download JSON Data | ๐Ÿ“ก RSS Feed