Apple fixes two zero-day flaws used in targeted attacks
NEWNow you can listen to News articles!
Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers actively exploited in highly targeted attacks.
The company described the activity as an “extremely sophisticated attack” targeting specific individuals. Although Apple did not identify the attackers or victims, the limited scope clearly suggests spyware-type operations rather than widespread cybercrime.
Both flaws affect WebKit, the browser engine behind Safari, and all browsers on iOS. As a result, the risk is significant. In some cases, simply visiting a malicious web page may be enough to trigger an attack.
Below, we break down what these vulnerabilities mean and explain how you can better protect yourself.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Apple released emergency updates after confirming that two zero-day WebKit flaws were actively exploited in targeted attacks. (Reuters/Thomas Peter/File photo)
NEW IPHONE SCAM TRICKS OWNERS INTO GIVING AWAY PHONES
What Apple says about zero-day vulnerabilities
The two vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks. According to Apple’s security bulletin, the flaws were abused in versions of iOS released before iOS 26, and the attacks were limited to “specific individuals.”
CVE-2025-43529 is a use-after-free vulnerability in WebKit that can lead to arbitrary code execution when a device processes maliciously crafted web content. Simply put, it allows attackers to execute their own code on a device by tricking the browser into mishandling memory. Apple credited Google’s Threat Analysis Group for discovering this flaw, which is often a strong indicator of commercial or nation-state spyware activity.
The second flaw, CVE-2025-14174, is also a WebKit issue, this time related to memory corruption. While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to completely compromise a device. Apple says this issue was discovered jointly by Apple and Google’s Threat Analysis Group.
In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild. That language is important because Apple typically reserves it for situations where attacks have already occurred, not just theoretical risks. The company says it fixed the bugs through better memory management and better validation checks, without sharing deeper technical details that could help attackers replicate the exploits.
Affected devices and signs of coordinated disclosure
Apple has released patches across all of its supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS, and visionOS.
According to Apple’s notice, affected devices include the iPhone 11 and newer models, multiple generations of iPad Pro, iPad Air from the third generation onwards, the eighth-generation iPad and newer, and the iPad mini from the fifth generation onwards. This covers the vast majority of iPhones and iPads that are still actively used today.
Apple has fixed the bugs throughout its ecosystem. The fixes are available in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. Because Apple requires all iOS browsers to use WebKit internally, the same underlying issue also affected Chrome on iOS.
Six steps you can follow to protect yourself from these types of vulnerabilities
Here are six practical steps you can take to stay safe, especially in light of highly targeted zero-day attacks like this one.
REAL APPLE SUPPORT EMAILS USED IN NEW PHISHING SCAM
Because WebKit is supported by Safari and all iOS browsers, even one malicious web page can be enough to put unpatched devices at risk. (Jakub Porzycki/NurPhoto via Getty Images)
1) Install updates as soon as they are released
This sounds obvious, but it matters more than anything else. Zero-day attacks rely on people running outdated software. If Apple sends an emergency update, install it the same day if you can. Delaying updates is often the only thing window attackers need. If you tend to forget about updates, let your devices handle them for you. Enable automatic updates for iOS, iPadOS, macOS, and Safari. That way, you’ll be protected even if you miss the news or are traveling.
2) Be careful with links, even from people you know
Most WebKit exploits start with malicious web content. Avoid tapping random links sent via SMS, WhatsApp, Telegram or email unless you are expecting them. If something doesn’t work, open the site later by typing the address yourself.
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have antivirus software installed on all of your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
3) Use a lock-style navigation setup
If you are a journalist, activist, or someone who handles sensitive information, consider reducing your attack surface. Only use Safari, avoid unnecessary browser extensions, and limit how often you open links within messaging apps.
4) Activate lockdown mode if you feel at risk
Apple’s Lockdown Mode is specifically designed for targeted attacks. It restricts certain web technologies, blocks most message attachments, and limits attack vectors commonly used by spyware. It’s not for everyone, but it exists for situations like this.
5) Reduce your exposed personal data
Targeted attacks typically begin with profiling. The more personal data about you floating around online, the easier it will be to target you. Removing data from broker sites and tightening social media privacy settings can reduce your visibility.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.
Apple urges users to install the latest updates, especially those who may face higher-risk targeted threats. (Cheng Xin/Getty Images)
6) Pay attention to unusual device behavior
Unexpected crashes, overheating, sudden battery drain, or Safari closing on its own can sometimes be warning signs. This does not automatically mean that your device is compromised. However, if something constantly seems wrong, immediately updating and resetting your device is a smart move.
Kurt’s Key Takeaway
Apple has not shared details about who was targeted or how the attacks were carried out. However, the pattern fits closely with previous spyware campaigns that targeted journalists, activists, political figures and other people of interest to surveillance operators. With these patches, Apple has fixed seven zero-day vulnerabilities that were exploited in the wild in 2025 alone. This includes flaws revealed earlier this year and a fix backed in September for older devices.
Have you already installed the latest iOS or iPadOS update or are you still putting it off? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2025 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.