Apple Emergency Patch: Two WebKit Zero-Days Actively Exploited in Targeted iOS Attacks

Apple has released out-of-band patches addressing two zero-day vulnerabilities that were already being exploited in real-world attacks. The company confirmed that the exploits involved highly sophisticated technical techniques targeting a limited set of individuals, rather than mass compromise. Both flaws affected devices running iOS versions prior to iOS 26 and were remediated in a single update bundle.

The vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174. According to Apple, both were leveraged as part of the same activity, although the company declined to disclose details about the attack vectors or delivery mechanisms, citing only an “extremely sophisticated attack” aimed at specific users.

CVE-2025-43529 is a use-after-free flaw in WebKit, the browser engine used by Safari and all third-party browsers on iOS. The issue allows remote code execution when processing specially crafted web content. The vulnerability was discovered by Google’s Threat Analysis Group.

The second flaw, CVE-2025-14174, also resides in WebKit and involves memory corruption. Such defects can lead to improper memory handling and create conditions conducive to further exploitation. Its discovery was credited to Apple in collaboration with the same Google research team.

Both vulnerabilities affected a broad range of devices, including iPhone models from the iPhone 11 onward; multiple generations of iPad Pro; iPad Air from the third generation and later; standard iPads starting with the eighth generation; and iPad mini devices from the fifth generation forward. In practical terms, most currently supported Apple devices were at risk.

The fixes were rolled out across multiple operating system releases. Patches are included in iOS 26.2 and iPadOS 26.2, as well as in iOS 18.7.3 and iPadOS 18.7.3. Updates were also issued for macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari version 26.2.

Almost simultaneously, Google updated its advisory on a previously mysterious Chrome zero-day. Initially published without technical detail, the company later confirmed that the issue carries the identifier CVE-2025-14174 and stems from an out-of-bounds memory access in the ANGLE component.

Because WebKit underpins all browsers on iOS, including Chrome, the observed activity aligns with well-known patterns of targeted attacks in which malicious web content serves as the primary exploitation vector. While Apple emphasizes that the attacks were not widespread, it nonetheless urges users to install the updates as soon as possible.

With these fixes, the total number of zero-day vulnerabilities patched by Apple in 2025 after confirmed in-the-wild exploitation has reached seven. Previous emergency updates were issued in January, February, March, and April, with an additional patch in September backported to older versions of iOS and iPadOS. The latest releases extend this sequence—offering few operational details, yet clearly signaling that these flaws were actively abused in targeted cyber-espionage campaigns and demand immediate user attention.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy