Key Takeaways
- Apple has released urgent security updates to address two critical zero-day vulnerabilities, CVE-2025-43529 and CVE-2025-14174, which have been exploited in sophisticated real-world attacks.
- The vulnerabilities affect a broad range of Apple devices, including iPhone, iPad, and Mac models, and can be exploited by luring users to maliciously crafted web content.
- The patches are available in the latest software versions, including iOS 18.7.3, iPadOS 18.7.3, macOS Tahoe 26.2, and Safari 26.2.
- Users are advised to install the latest updates immediately to block potential exploitation and prevent emerging threats from taking advantage of similar flaws.
Introduction to the Vulnerabilities
Apple has issued urgent security updates to address two critical zero-day vulnerabilities that have been exploited in sophisticated real-world attacks targeting specific individuals. The patches are part of a broader emergency update that spans iOS, iPadOS, macOS, watchOS, tvOS, and Apple’s Safari browser. The flaws, tracked as CVE-2025-43529 and CVE-2025-14174, reside in WebKit, the browser engine that powers Safari and underlies web content in many Apple apps. Because WebKit is deeply integrated into device operations, attackers could exploit these weaknesses simply by luring users to maliciously crafted web content — without any interaction beyond loading a webpage.
Description of the Vulnerabilities
According to Apple, the two zero-days affect memory handling in WebKit: CVE-2025-43529 is a use-after-free error — a class of flaw where software tries to use memory after it has been freed, offering attackers an entry point to execute arbitrary code. This defect was identified by Google’s Threat Analysis Group, a team focused on uncovering sophisticated threats. CVE-2025-14174 involves memory corruption. This vulnerability, attributed to both Apple and Google TAG researchers, could allow crafted content to destabilise device memory, potentially leading to exploitation. Apple’s official security bulletin states that both flaws “may have been exploited in an extremely sophisticated attack against specific targeted individuals” on devices running versions of iOS prior to the latest releases.
Wide Range of Affected Devices
The vulnerabilities affect a broad swath of Apple’s mobile hardware, including: iPhone 11 and later, iPad Pro models (12.9-inch 3rd gen+, 11-inch 1st gen+), iPad Air (3rd gen and later), iPad (8th gen and later), and iPad mini (5th gen and later). To mitigate the threat, Apple has released patches in the following software versions: iOS 18.7.3, iPadOS 18.7.3, macOS Tahoe 26.2, OS 26.2 (for Apple Watch, tvOS, visionOS), and Safari 26.2. Users of these devices are advised to install the latest updates immediately to block potential exploitation and prevent emerging threats from taking advantage of similar flaws.
Coordinated Disclosure and Broader Industry Response
This week’s update follows nearly concurrent action by Google, which patched a related zero-day in its Chrome browser originally listed as bug 466192044 before being tied to CVE-2025-14174 — underscoring coordinated disclosure between the two tech giants and a shared concern over active exploitation. Security experts note that the involvement of Google’s Threat Analysis Group — known for tracking state-linked actors — suggests these attacks may resemble other high-precision surveillance campaigns seen in recent years, in which spyware is deployed against diplomats, journalists, activists, or corporate executives rather than the general public.
Not an Isolated Incident
Apple’s response this week brings the total number of zero-day vulnerabilities patched in 2025 to at least seven, including earlier WebKit flaws and other high-risk bugs affecting core system components. These include CVE-2025-24085 in January, multiple WebKit issues in early spring, and a separate zero-day backported for older devices running iOS 15 and 16 in September. Cybersecurity analysts say the frequency and sophistication of these incidents highlight a broader — and growing — trend of targeted iOS attacks. They point to past campaigns such as Operation Triangulation, a complex iPhone exploit chain first exposed in 2023 that used multiple zero-day bugs to deploy spyware and remained undetected for months. Although not directly connected to the current vulnerabilities, such past incidents underscore how advanced threat actors operate against mobile platforms.
What Users Should Do Now
While Apple indicates these zero-days were primarily used in targeted attacks, it is strongly advised that all users install the latest updates immediately to block potential exploitation and prevent emerging threats from taking advantage of similar flaws. To update, users can navigate to Settings > General > Software Update on iPhone and iPad devices, or use System Preferences on macOS. For older devices that cannot upgrade to the newest OS versions, Apple typically offers standalone security patches where possible. By installing the latest updates, users can protect themselves from potential exploitation and ensure the security and integrity of their devices.
:max_bytes(150000):strip_icc()/STRANGER-THINGS-Finn-Wolfhard-Caleb-McLaughlin-Natalia-Dyer-Joe-Keery-Charlie-Heaton-Gaten-Matarazzo-071525-dde8f6ac3f164f1f996ff48da404cec4.jpg?w=300&resize=300,300&ssl=1 "Finn Wolfhard to Host SNL in 2026")
