Redazione RHC : 25 August 2025 08:38
An in-depth analysis and proof-of-concept example has been released regarding CVE-2025-43300, a critical security flaw in Apple’s image processing infrastructure that allows remote code execution without the need for a single click.
This is a security flaw, discovered in Apple’s implementation of lossless JPEG decompression within the RawCamera.bundle, that allows attackers to execute arbitrary code without user interaction via specially crafted Digital Negative (DNG) files.
The vulnerability exploits fundamental assumptions of Apple’s TIFF/DNG parsing engine and its interaction with lossless JPEG compression. DNG files, based on Adobe’s open-source raw image format specification,use the TIFF container structure with losslessly compressed JPEG image data embedded in SubIFDs. The PoC requires minimal modifications to a legitimate DNG file, making it particularly dangerous.
Specifically, the vulnerability occurs when a DNG file declares SamplesPerPixel = 2 in its SubIFD directory but contains only 1 component in the SOF3 (Start of Frame 3) block of the embedded lossless JPEG data. The attack mechanism exploits a discrepancy between the metadata declarations and the actual image data. Researcher b1n4r1b01 has published a detailed technical analysis and playback steps, revealing that the flaw stems from a buffer overflow condition in the lossless JPEG decompression routine within RawCamera.bundle.
The vulnerability poses a significant security threat as it allows for clickless exploitation via Apple’s automatic image processing system. Attackers only need to modify two specific bytes: changing offset 0x2FD00 from 01 to 02 (changing SamplesPerPixel) and offset 0x3E40B from 02 to 01 (changing the number of SOF3 components). These precise changes create the critical discrepancy that triggers the vulnerability.
The RawCamera.bundle package, which handles various raw image formats on iOS, does not contain symbol information, making reverse engineering difficult. However, the researcher notes that not all lossless JPEG-compressed DNG files reach the vulnerable code path, which requires specific conditions consistent with the proof-of-concept sample provided. Apple’s security advisory acknowledges that CVE-2025-43300 has been actively exploited in sophisticated attacks targeting specific individuals, elevating this vulnerability from theoretical to a confirmed threat actor tool.
The zero-click nature makes it particularly attractive for targeted surveillance operations, as victims require no interaction beyond receiving the malicious file. The vulnerability affects multiple App platforms, including iOS 18.6.1, iPadOS 18.6.1, and various versions of macOS. Recall that Apple has released patches for iOS 18.6.2, iPadOS 18.6.2, macOS Sequoia 15.6.1, and earlier versions of macOS. The researcher confirmed that the proof-of-concept did not cause crashes on iOS 18.6.2, indicating that the mitigation was successful.
Redazione