For years, iPhone users believed they were safer than their Android counterparts. But that sense of security is fading fast. In 2025 alone, Apple has patched seven zero-day vulnerabilities, several of which were actively exploited before the company released fixes. According to Apple’s security bulletins, these flaws targeted the core of its operating systems—from image rendering to messaging frameworks. The latest one, tracked as CVE-2025-43300, affects iPhones, iPads, and Macs, allowing attackers to execute malicious code through a single crafted image file. Apple confirmed that this vulnerability “may have been exploited in extremely sophisticated attacks,” making it clear that cyber fraudsters are no longer avoiding Apple’s ecosystem—they’re actively breaching it.

TL;DR

Apple has patched a new zero-day vulnerability (CVE-2025-43300) that lets hackers run malicious code through crafted image files on iPhones, iPads, and Macs. It’s the seventh zero-day fix this year, proving that Apple devices are no longer immune. Update your Apple devices now to stay secure.

Even iPhone Users Are Being Targeted

The Telangana Cyber Security Bureau (TGCSB) has issued an alert about a device-neutral cyber fraud that now targets iPhone users—those who were previously unaffected by .apk-based Android scams. This new scam exploits the call-forwarding feature in mobile networks to hijack WhatsApp accounts.

The caller, speaking with calm urgency, claims to be from a courier company. “Our delivery agent is waiting right outside your door. Please type this code to verify your parcel,” the voice insists. The victim, unsuspecting and perhaps in a hurry, obediently keys in the digits, — 21number# — unaware they’ve just handed over control of their phone. Within minutes, the conmen gain full access to the victim’s WhatsApp account, which they then use to message friends, family, or clients asking for urgent money transfers.

TGCSB explained that the fraudsters manipulate victims into enabling call forwarding, which redirects incoming verification calls to the attacker’s device. Once they intercept the WhatsApp verification code, they take over the account and use it to defraud contacts. The Bureau emphasized that this social engineering scam affects both Android and iPhone users, proving that even Apple’s ecosystem isn’t immune when human trust becomes the weak link.

What’s Happening

The technical side of this issue stems from Apple’s Image I/O framework, which processes image files across devices. Attackers can exploit this flaw simply by sending a malicious image—via email, social media, or even iMessage—to trigger code execution without user interaction.

Apple’s patch covers:

• iOS 18.6.2 and earlier
• iPadOS 18.6.2
• macOS Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8

This isn’t the first time Apple’s defences have been tested. Earlier this year, zero-days in CoreAudio and RTKit were exploited in similar attacks. With seven critical fixes already in 2025, Apple’s once “safe by design” ecosystem is being pushed to its limits.

Why iPhone Users Should Care

• Apple’s security myth is breaking. The company’s walled garden doesn’t stop attackers anymore.
• Zero-click exploits are real. You don’t have to tap anything—just receiving an image or message can trigger an attack.
• Social engineering adds another layer. Even without malware, scammers can make you hand over control through a simple call.
• Attackers are faster. The time from discovery to exploitation is shrinking, which means delays in updates create real risk.

How Cyber Fraudsters Are Exploiting the Flaw

Cybercriminals now combine high-tech exploits with low-tech deception. Advanced groups use zero-click vulnerabilities like CVE-2025-43300, while everyday scammers rely on simple manipulation. Once they control a device or account, they can:

• Steal credentials, messages, and authentication tokens.
• Impersonate victims on WhatsApp or business channels.
• Access synced banking apps or crypto wallets.
  This mix of technical breach and psychological manipulation shows that cybersecurity isn’t only about strong software—it’s about user awareness.

What You Should Do

• Update your Apple devices immediately
  
  • iPhone/iPad: Settings → General → Software Update
  • Mac: System Settings → General → Software Update
    
• Never dial codes shared by callers claiming to be from courier or telecom companies.
• Disable call forwarding: Dial ##002# to cancel all active forwarding.
• Enable automatic updates to stay ahead of exploits.
• Restart your device after every patch to apply it fully.
• Use two-step verification for WhatsApp and other accounts.
• Stay informed through Apple’s security updates page and verified cyber advisories.

To Sum Up

Between zero-day vulnerabilities and telecom-based scams, Apple’s ecosystem is no longer off-limits to cybercriminals. The Telangana Cyber Security Bureau’s warning proves that even a simple phone call can compromise a user’s privacy and finances. The best protection isn’t fear—it’s awareness. Keep your system updated, verify every message or call, and never assume security just because you own an iPhone.

FAQs

1. What is a zero-day vulnerability?
   A zero-day is a software flaw exploited by hackers before a company releases a patch. It’s called “zero-day” because developers have zero time to fix it before exploitation starts.
2. How are iPhone users being targeted in India?
   Through a new call-forwarding scam. Fraudsters trick victims into dialing codes like 21number#, allowing them to intercept WhatsApp verification calls and take over accounts.
3. Does this mean Apple devices are unsafe?
   Not unsafe, but not immune. Even the most secure systems can be compromised through new exploits or social engineering.
4. How can I disable call forwarding on my phone?
   Dial ##002# from your device to turn off any active call-forwarding features.
5. How can I protect my WhatsApp account?
   Enable Whatsapp two-step verification, don’t share verification codes, and never dial codes sent over calls or messages.