Apple has issued an urgent security update addressing two zero-day vulnerabilities that have been exploited by attackers in targeted operations.
The company labeled these incidents as part of a “highly sophisticated attack,” although they haven’t disclosed the identities of the attackers or the victims. The narrow focus of this attack hints at a spyware operation rather than a broader cybercrime wave.
Both vulnerabilities impact WebKit, the underlying browser engine for Safari and other browsers on iOS, which poses substantial risks. In fact, some attacks can occur simply by visiting a harmful web page.
To help clarify these vulnerabilities, let’s go over what they entail and how you can safeguard yourself.
Understanding Apple’s zero-day vulnerabilities
The vulnerabilities are identified as CVE-2025-43529 and CVE-2025-14174, and Apple has confirmed that both were part of the same live exploitation event.
The company shared that these flaws were utilized in iOS versions prior to iOS 26 and were aimed at “specific targeted individuals.”
CVE-2025-43529 is a use-after-free vulnerability in WebKit that could enable arbitrary code execution when malicious web content is processed. Essentially, it tricks the browser into mishandling memory, thereby allowing the attacker to run their code on the device.
Google’s Threat Analysis Group discovered this issue, which often indicates activity tied to nation-state or commercial spyware.
The second flaw, CVE-2025-14174, also relates to WebKit but involves memory corruption.
Even though Apple describes this impact as corruption rather than code execution, such bugs often combine with other vulnerabilities to fully compromise a device’s security.
Apple noted that this issue was jointly discovered by its own team and Google’s threat analysis groups.
In both instances, Apple acknowledged being aware of reports regarding active exploitation.
This terminology is crucial because Apple generally uses it when an actual attack has occurred, rather than just a potential risk.
The company has addressed the vulnerabilities by improving memory management and validation checks, but hasn’t disclosed the intricate technical details that could help attackers replicate the exploit.
Affected Devices and Addressing the Issue
Patches have been released across all of Apple’s supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS, and visionOS.
Affected devices encompass iPhone 11 and later models, several generations of iPad Pro, 3rd generation and later for iPad Air, 8th generation and up for iPad, and 5th generation and later for iPad mini.
This patch covers most of the iPhones and iPads that are still in active use today.
Apple has rolled out fixes in iOS 26.2 and iPadOS 26.2, as well as iOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. The underlying issue also affected Chrome on iOS since Apple mandates that all iOS browsers utilize WebKit.
Steps to Protect Yourself from Vulnerabilities
Here are six practical measures you can take to enhance your security, particularly given these targeted zero-day attacks.
1) Install updates promptly
This may sound straightforward, but it’s critical. Zero-day attacks often target outdated software.
When Apple sends an emergency update, it’s best to install it as soon as possible. Delays can be the only thing an attacker needs. So if you tend to forget, allow your device to automatically handle updates. That way, you won’t miss out on important protections.
2) Exercise caution with links, even from acquaintances
Many WebKit exploits start with malicious web content. Be wary of clicking on random links sent via SMS, WhatsApp, or email unless you’re expecting them. If something feels off, it’s usually safer to manually enter the URL later.
Using antivirus software on your devices can provide an extra layer of protection against harmful links that might lead to malware installation or personal data access.
3) Utilize lockdown browsing settings
If you’re a journalist, activist, or involved with sensitive information, consider reducing your exposure to risks.
Stick to Safari, avoid unnecessary browser extensions, and limit how often you access links from messaging applications.
4) Activate lockdown mode if you feel threatened
Apple’s Lockdown Mode is tailored for situations involving targeted attacks. It restricts specific web technologies, blocks most message attachments, and limits common spyware attack vectors. While it’s not necessary for everyone, it can be beneficial in specific circumstances.
5) Minimize personal data exposure
Targeted attacks often start with the attacker building a profile on you. By reducing your online personal data, you decrease the likelihood of being targeted. Consider removing information from data broker sites and tightening your social media privacy settings.
While services that delete personal data aren’t guaranteed to provide complete removal from the internet, they can be a valuable option.
These services continuously monitor and systematically eliminate your information from numerous websites. This approach has given me peace of mind, proving to be quite effective in erasing personal data from the web.
Limiting your available data reduces the chances of scammers being able to cross-reference information from a breach with anything they find online.
6) Watch out for unusual device behavior
If you notice your Safari crashing, your device overheating, or your battery draining unexpectedly, those could be indicators of a problem. While these signs don’t automatically imply an issue, consistent abnormal behavior should prompt you to update and possibly reset your device.
Key Takeaways
While Apple didn’t disclose specific targeting details or the nature of the attacks, the circumstances align with previous spyware campaigns that focused on journalists, activists, politicians, and other high-interest individuals.
This latest round of patches represents Apple fixing seven zero-day vulnerabilities exploited in the wild during 2025, which includes earlier and backported fixes for existing devices.
