Apple has released critical security updates for its operating systems, including iOS, iPadOS, and macOS, to address two zero-day vulnerabilities in the WebKit rendering engine. These flaws were actively exploited in the wild, potentially enabling sophisticated attacks against targeted individuals. Users are strongly urged to update their devices immediately to protect against these threats.

Key Takeaways

• Two actively exploited zero-day vulnerabilities in Apple's WebKit have been patched.

• These flaws could lead to arbitrary code execution and memory corruption.

• The vulnerabilities were exploited in "extremely sophisticated attacks" against specific individuals.

• Updates are available for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari.

• One of the patched vulnerabilities is the same flaw previously addressed by Google in Chrome.

Exploited WebKit Vulnerabilities

Apple's latest security advisories detail two critical vulnerabilities, CVE-2025-43529 and CVE-2025-14174, affecting the WebKit engine. CVE-2025-43529 is a use-after-free vulnerability, while CVE-2025-14174 is a memory corruption issue. Both can be exploited by processing maliciously crafted web content, potentially leading to arbitrary code execution or memory corruption.

Apple has confirmed that these vulnerabilities "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26." The discovery and reporting of these flaws are credited to Apple's Security Engineering and Architecture (SEAR) team and Google's Threat Analysis Group (TAG), suggesting a coordinated effort to address these threats.

Cross-Platform Impact and Spyware Concerns

Notably, CVE-2025-14174 is identical to a vulnerability that Google recently patched in its Chrome browser. This shared vulnerability stems from an issue within the ANGLE graphics library, which is used by both Chrome's Blink engine and Apple's WebKit. This indicates that the flaws could impact a wide range of browsers and devices beyond Apple's ecosystem, including other Chromium-based browsers like Microsoft Edge, Opera, and Brave.

The nature of the attacks and the involvement of Google's Threat Analysis Group suggest that these zero-days were likely weaponized by commercial spyware vendors. Such actors are known to target individuals with advanced surveillance tools, making these patches crucial for protecting against highly targeted mercenary spyware campaigns.

Affected Devices and Update Information

Apple has released security updates to address these vulnerabilities across its product line. The affected versions and devices include:

• iOS 26.2 and iPadOS 26.2: For iPhone 11 and later, and various iPad models.

• iOS 18.7.3 and iPadOS 18.7.3: For iPhone XS and later, and various iPad models.

• macOS Tahoe 26.2: For Macs running macOS Tahoe.

• tvOS 26.2: For Apple TV HD and Apple TV 4K.

• watchOS 26.2: For Apple Watch Series 6 and later.

• visionOS 26.2: For Apple Vision Pro.

• Safari 26.2: For Macs running macOS Sonoma and macOS Sequoia.

Users are strongly advised to update their devices as soon as possible. With these patches, Apple has now addressed nine zero-day vulnerabilities exploited in the wild during 2025, underscoring the ongoing threat landscape.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild, The Hacker News.

• Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw, SecurityWeek.

• Apple Confirms Attacks—All iPhone Users Must Update Now, Forbes.

• Apple Patches Two Actively Exploited Zero-Day WebKit Vulnerabilities, WebProNews.