Shattering the Glass Cage: Dissecting the CVE-2025-24201 WebKit Escape

In the world of offensive security, the "Zero-Click" exploit is the holy grail. It’s the capability that keeps CISO's awake at night and fetches seven figures on the gray market. CVE-2025-24201 isn't just a browser bug; it is the silent killer inside the "Glass Cage" chain. This vulnerability resides in WebKit, the engine that powers Safari, but more importantly, it powers the rendering of web content inside iMessage. That means an attacker doesn't need you to visit a shady URL; they just need to send you a specifically crafted message.

Technically, this is an Out-of-Bounds (OOB) Write. In the context of a browser engine, an OOB write is like being given a key to a specific hotel room but figuring out how to smash through the drywall into the adjoining suite. That adjoining suite happens to contain the control structures for the Web Content process.

The real beauty—and horror—of this bug is its role in the chain. It’s the bridge. The attackers first gained execution via ImageIO (CVE-2025-43300), but they were trapped in the tight confines of the BlastDoor sandbox. CVE-2025-24201 is the explosive charge they used to blow the door off that sandbox, pivoting from a restricted process to a position where they could attack the kernel directly.

Under the hood, this vulnerability stems from a failure in memory management logic, specifically pointing towards the ATXEncoder component or similar heap-allocated structures within WebCore. The issue is classified as CWE-787: Out-of-bounds Write. In C++, when you allocate a buffer on the heap, you tell the allocator exactly how much space you need. If you calculate that size based on user input (like the dimensions of an image or the length of a string) and fail to validate it strictly, you end up with a mismatch.

The developers implemented checks, but they weren't enough. The vulnerability is described as a "supplementary fix" for an issue that was supposedly addressed in iOS 17.2. This implies that the attackers found a variant—a way to bypass the original patch. They found a code path where the boundary checks could be tricked, allowing the render engine to write data past the end of the allocated buffer.

Once you have an OOB write, you have a "write primitive." In the WebKit heap, this is devastating. By carefully grooming the heap (Heap Feng Shui), an attacker can arrange objects so that the victim buffer is adjacent to a critical object—like a function pointer or a length property of an array. Overwriting the length of an adjacent Javascript array, for example, gives you read/write access to the entire address space of the process. Game over for the sandbox.

While the specific source code diff is locked behind Apple's restricted Bugzilla (ID 285858), we can reconstruct the anatomy of this failure based on the patch description: "Improved checks." In WebKit, an OOB write often looks like a disconnect between the allocation size and the loop that writes data.

Imagine a simplified C++ scenario in the encoder logic:

// VULNERABLE LOGIC PATTERN
void parseWebData(uint8_t* data, size_t len) {
    // Developer calculates size needed for output
    size_t bufferSize = calculateSize(data);
    
    // Allocation seems safe...
    uint8_t* buffer = (uint8_t*)fastMalloc(bufferSize);
 
    // THE BUG: The writing loop uses 'len' from input,
    // not the calculated 'bufferSize', and 'calculateSize'
    // had an integer overflow or logic flaw.
    for (size_t i = 0; i < len; i++) {
        buffer[i] = transform(data[i]); // <--- WRITES OOB HERE
    }
}

The fix involves validating that the data being written actually fits into the allocated slot. Apple's patch essentially adds a "bounds check" before the write operation or hardens the size calculation to prevent the mismatch.

// PATCHED LOGIC
void parseWebData(uint8_t* data, size_t len) {
    Checked<size_t> bufferSize = calculateSize(data);
    if (bufferSize.hasOverflowed()) return; // Bail out
    
    // Hardened vector with bounds checking
    Vector<uint8_t> buffer;
    buffer.reserveCapacity(bufferSize.value());
 
    for (size_t i = 0; i < len; i++) {
        // The Vector class now prevents OOB writes
        // or explicitly check (i < bufferSize)
        buffer.append(transform(data[i])); 
    }
}

By enforcing strict bounds checking, the engine ensures that no matter what malicious garbage the attacker sends, the write pointer cannot drift into adjacent memory.

The "Glass Cage" exploit chain is a masterclass in modern offensive engineering. It doesn't rely on a single lucky bug; it chains three distinct vulnerabilities to achieve total domination. Here is how an attacker weaponizes CVE-2025-24201:

1. Delivery: The target receives a message containing a malicious PNG. The MessagesBlastDoorService spins up to parse it.
2. Initial RCE: The ImageIO bug triggers, giving the attacker code execution inside the BlastDoor sandbox. This is a tight cage; they can't touch the file system or user data yet.
3. The Pivot (CVE-2025-24201): The attacker leverages the initial RCE to interact with WebKit interfaces exposed to the process. They trigger the OOB Write in the encoder logic.
4. Sandbox Escape: Using the OOB write, they corrupt a JavaScript object in memory to gain an arbitrary Read/Write primitive. They disable the specific checks that enforce the sandbox boundaries.
5. Kernel Escalation: Now running with the privileges of the Web Content process (which is higher than BlastDoor but still restricted), they attack the kernel using a UAF in Core Media (CVE-2025-24085).

The sophistication is evident in the post-exploitation behavior. The malware modifies wifid proxy settings to route traffic to 172.16.101.176 and manipulates IORegistry keys like IOAccessoryPowerSourceItemBrickLimit to potentially brick the device if detection is suspected. This is high-stakes warfare.

A successful exploit of CVE-2025-24201 effectively neutralizes the primary security architecture of iOS: the Sandbox. The sandbox is designed to contain damage; if a renderer gets popped, the attacker should still be trapped. This vulnerability breaks that promise.

For the targeted victims, the impact was catastrophic. The attackers didn't just want to read emails; they wanted persistence and total control. They accessed CloudKeychainProxy to steal encrypted credentials. They injected rogue daemons via launchd to survive reboots. Because this is zero-click, the victim has no indication that their device has been turned into a pocket-sized spy.

The CVSS score is a flat 10.0 because the scope is changed (Sandbox Escape), user interaction is None, and the impact to Confidentiality, Integrity, and Availability is High. It is the definition of a "burn it down" bug.

Apple has released patches across the entire ecosystem. If you are running anything older than iOS 18.3.2 or macOS 15.3.2, you are vulnerable. The fix involves improved memory safety checks in WebKit to prevent the OOB write.

Remediation Steps:

1. Update Immediately: Go to Settings -> General -> Software Update. Do it now.
2. Lockdown Mode: For high-risk individuals (journalists, politicians, researchers), enabling Lockdown Mode is highly effective. It reduces the attack surface by disabling certain complex web technologies and image parsers that are often the vector for these exploits. Reports suggest Lockdown Mode successfully blocks parts of the "Glass Cage" chain.
3. Reboot: Frequent reboots can disrupt non-persistent stages of exploit chains, though the Glass Cage malware attempts to establish persistence quickly.

This vulnerability highlights the fragility of C/C++ memory management in complex parsers. Until WebKit adopts more memory-safe languages for its parsers, we will continue to see the cat-and-mouse game of OOB writes and heap hardening.