Key Takeaways:
- Apple has warned of two iPhone vulnerabilities that may have been exploited in a sophisticated attack against specific targeted individuals.
- The vulnerabilities, CVE-2025-14174 and CVE-2025-43529, affect WebKit and can lead to arbitrary code execution and memory corruption.
- Apple has released iOS 26.2 to fix the vulnerabilities, and users are advised to update immediately.
- The attacks targeted individuals on versions of iOS before iOS 26, and users are warned not to delay updating.
- WebKit is a primary target for attackers, and users should expect these types of attacks to continue.
Introduction to the iPhone Vulnerabilities
Apple has recently warned that two iPhone vulnerabilities may have been exploited in a sophisticated attack against specific targeted individuals. This warning comes after the company issued spyware warnings to iPhone users around the world earlier this month. The two vulnerabilities, CVE-2025-14174 and CVE-2025-43529, have been fixed in iOS 26.2, which was released today. However, the warning is more serious for users who have not yet upgraded to iOS 26, as the attacks targeted individuals on versions of iOS before iOS 26.
The Vulnerabilities and Their Impact
The two vulnerabilities are linked and affect WebKit, which is a primary target for attackers. One of the vulnerabilities risks a browser processing maliciously crafted web content, which may lead to arbitrary code execution. The other vulnerability may lead to memory corruption, which has the hallmarks of a chained spyware attack. According to Ali Mousavifar from Menlo Security, "the two active WebKit exploits in iOS 26.2 highlight a clear trend: browser engines are a primary target for attackers." Mayuresh Dani from Qualys also notes that "WebKit has a well-documented history of serving as the primary entry point for sophisticated spyware and surveillance campaigns."
The Importance of Updating to iOS 26.2
iPhone users are advised to update to iOS 26.2 immediately to protect themselves from these vulnerabilities. The update fixes not only the two exploited vulnerabilities but also eight other WebKit threats, including various types of memory mishandling. Users should also follow operational security practices, such as using iCloud Private Relay to mask their IP and encrypt DNS queries, and enabling private browsing and disabling JavaScript temporarily while interacting with untrusted sites. James Maude from BeyondTrust warns that "users should urgently update all their impacted Apple devices," as the vulnerabilities can quickly become a must-have exploit for a range of threat actors.
The Broader Risk to Users
The vulnerabilities pose a broader risk to users beyond the two exploited vulnerabilities. For example, an app may be able to access sensitive user data in Messages, or password fields may be unintentionally revealed when remotely controlling a device over FaceTime. Additionally, the fact that iOS 26’s fixes are now in the public domain means that other threat actors may try to exploit the vulnerabilities. Google also warned that its OS was under attack earlier this month, with two vulnerabilities being exploited in the wild to target Android users.
The Risk of WebKit Vulnerabilities
WebKit is a critical component of iOS, and its vulnerabilities can have significant consequences. Maude notes that "WebKit is the underpinning for every iOS browser and many apps," and that "if WebKit is vulnerable, your entire device could be vulnerable when viewing content online." The fact that WebKit is a primary target for attackers means that users should expect these types of attacks to continue. As Darren Guccione from Keeper Security notes, "there’s no workaround or user behavior that meaningfully mitigates this risk," and installing the update "is the only effective defense."
Conclusion and Recommendations
In conclusion, the two iPhone vulnerabilities highlighted by Apple are a serious concern for users, and it is essential to update to iOS 26.2 immediately to protect against these threats. Users should also follow operational security practices to minimize their risk. The broader risk to users and the fact that WebKit is a primary target for attackers mean that users should be vigilant and take steps to protect themselves. As the mercenary spyware industry continues to target both Android and iPhone users, it is crucial for users to stay informed and take proactive measures to secure their devices.
