Apple Releases Emergency Fixes for Zero-Days Exploited in Sophisticated Attacks

Apple Releases Emergency Fixes for Zero-Days Exploited in Sophisticated Attacks

Apple has issued urgent security updates addressing two zero-day vulnerabilities that were actively exploited in what the company describes as an “extremely sophisticated attack” targeting specific individuals.

🔓 Zero-days addressed

• CVE-2025-43529
  WebKit use-after-free flaw that could lead to remote code execution via malicious web content
  ➜ Discovered by Google Threat Analysis Group (TAG)
• CVE-2025-14174
  WebKit memory corruption vulnerability that could lead to memory corruption
  ➜ Discovered by Apple and Google TAG

Apple confirmed both vulnerabilities were exploited as part of the same attack campaign.

📱 Affected devices

• iPhone 11 and later
• iPad Pro 12.9-inch (3rd gen and later)
• iPad Pro 11-inch (1st gen and later)
• iPad Air (3rd gen and later)
• iPad (8th gen and later)
• iPad mini (5th gen and later)

✅ Fixed in

• iOS / iPadOS 26.2
• iOS / iPadOS 18.7.3
• macOS Tahoe 26.2
• tvOS 26.2
• watchOS 26.2
• visionOS 26.2
• Safari 26.2

🧩 Coordinated disclosure with Google

Earlier this week, Google patched a Chrome zero-day originally listed as “High: Under coordination”.
The advisory was later updated to CVE-2025-14174, confirming coordinated response between Apple and Google.

Because WebKit is used by all browsers on iOS, including Chrome, the activity aligns with high-end spyware-style attacks.

⚠️ Why this matters

Although exploitation was highly targeted, zero-day attacks affecting browser engines are a critical risk, especially on mobile platforms.

With these fixes, Apple has now patched seven zero-days exploited in the wild in 2025, continuing a concerning trend of browser-based attack chains.

🛡️ Recommended action

✔ Install updates immediately on all Apple devices
✔ Treat delayed patching as a real security risk
✔ High-risk users should prioritize updates first