Apple has released iOS 18.6.2 and iPadOS 18.6.2 to prevent hackers from exploiting a vulnerability that allowed spyware to infiltrate iPhones and iPads.

The update went live on August 20 and it fixes a single but serious flaw in Apple's ImageIO framework. Attackers could send a malicious image that corrupted memory and opened the door to device compromise, News.Az reports, citing Forbes.

In plain terms, someone could hack your iPhone just by getting it to process a picture. Apple says the bug was caused by an out-of-bounds write.

That means data spilled into memory locations it didn't belong, giving attackers a chance to run their own code. The issue is logged as CVE-2025-43300 and was patched by adding tighter bounds checks .

The technical explanation is dry, but the risk is not. Exploits like this often don't require a user to tap anything. Your phone could be hit in the background while previewing an image or receiving it through an app.

Who is affected

The patch covers iPhone XS and later, iPad Pro 3rd generation and newer, iPad Air 3 and newer, iPad mini 5 and newer, and iPad 7th generation and newer. Older hardware didn't get the fix, which means anyone still holding onto older devices is stuck without protection.

Apple says the bug was used in "extremely sophisticated" attacks against "specific targeted individuals." That phrasing usually signals spyware campaigns against high-profile users like journalists, lawyers, and activists.

The company has used the same language in the past when addressing spyware linked to companies such as NSO Group. Zero-day exploits, the kind used before a fix exists, are especially dangerous.

Apple has patched similar flaws in ImageIO and WebKit in the past, some of which were linked to Pegasus spyware. Those attacks worked silently, often requiring nothing more than a message or image to land on a device.

The new patch shows that attackers are still probing Apple's systems and occasionally finding cracks. Even though the average iPhone owner isn't likely to be targeted, the same techniques often get reused or modified later in broader attacks.

How to protect yourself

The best defense is to install iOS 18.6.2 and iPadOS 18.6.2 as soon as possible. Apple doesn't publish details until a patch is ready, which prevents attackers from reverse-engineering the flaw before users can update.

If you're on older, unsupported hardware, your options are limited. Without updates, those devices stay exposed, and security becomes another reason to move on to newer models.

For most people, the risk is low, but that doesn't make the fix optional. Updates like iOS 18.6.2 make sure your phone isn't someone else's tool.

