Redazione RHC : 25 August 2025 08:38
An in-depth analysis and proof-of-concept example has been released regarding CVE-2025-43300, a critical security flaw in Apple’s image processing infrastructure that allows remote code execution without the need for a single click.
This is a security flaw, discovered in Apple’s implementation of lossless JPEG decompression within the RawCamera.bundle, that allows attackers to execute arbitrary code without user interaction via specially crafted Digital Negative (DNG) files.
The vulnerability exploits fundamental assumptions of Apple’s TIFF/DNG parsing engine and its interaction with lossless JPEG compression. DNG files, based on Adobe’s open-source raw image format specification,use the TIFF container structure with losslessly compressed JPEG image data embedded in SubIFDs. The PoC requires minimal modifications to a legitimate DNG file, making it particularly dangerous.
Prompt Engineering & Sicurezza: diventa l’esperto che guida l’AIVuoi dominare l’AI generativa e usarla in modo sicuro e professionale? Con il Corso Prompt Engineering: dalle basi alla cybersecurity, guidato da Luca Vinciguerra, data scientist ed esperto di sicurezza informatica, impari a creare prompt efficaci, ottimizzare i modelli linguistici e difenderti dai rischi legati all’intelligenza artificiale. Un percorso pratico e subito spendibile per distinguerti nel mondo del lavoro. Non restare indietro: investi oggi nelle tue competenze e porta il tuo profilo professionale a un nuovo livello. Guarda subito l'anteprima gratuita del corso su academy.redhotcyber.com Contattaci per ulteriori informazioni tramite WhatsApp al 375 593 1011 oppure scrivi a [email protected] 
Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì. |
Specifically, the vulnerability occurs when a DNG file declares SamplesPerPixel = 2 in its SubIFD directory but contains only 1 component in the SOF3 (Start of Frame 3) block of the embedded lossless JPEG data. The attack mechanism exploits a discrepancy between the metadata declarations and the actual image data. Researcher b1n4r1b01 has published a detailed technical analysis and playback steps, revealing that the flaw stems from a buffer overflow condition in the lossless JPEG decompression routine within RawCamera.bundle.
The vulnerability poses a significant security threat as it allows for clickless exploitation via Apple’s automatic image processing system. Attackers only need to modify two specific bytes: changing offset 0x2FD00 from 01 to 02 (changing SamplesPerPixel) and offset 0x3E40B from 02 to 01 (changing the number of SOF3 components). These precise changes create the critical discrepancy that triggers the vulnerability.
The RawCamera.bundle package, which handles various raw image formats on iOS, does not contain symbol information, making reverse engineering difficult. However, the researcher notes that not all lossless JPEG-compressed DNG files reach the vulnerable code path, which requires specific conditions consistent with the proof-of-concept sample provided. Apple’s security advisory acknowledges that CVE-2025-43300 has been actively exploited in sophisticated attacks targeting specific individuals, elevating this vulnerability from theoretical to a confirmed threat actor tool.
The zero-click nature makes it particularly attractive for targeted surveillance operations, as victims require no interaction beyond receiving the malicious file. The vulnerability affects multiple App platforms, including iOS 18.6.1, iPadOS 18.6.1, and various versions of macOS. Recall that Apple has released patches for iOS 18.6.2, iPadOS 18.6.2, macOS Sequoia 15.6.1, and earlier versions of macOS. The researcher confirmed that the proof-of-concept did not cause crashes on iOS 18.6.2, indicating that the mitigation was successful.
Redazione