Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers actively exploited in highly targeted attacks.
The company described the activity as an “extremely sophisticated attack” aimed at specific individuals. Although Apple did not identify the attackers or victims, the limited scope strongly suggests spyware-style operations rather than widespread cybercrime.
Both flaws affect WebKit, the browser engine behind Safari and all browsers on iOS. As a result, the risk is significant. In some cases, simply visiting a malicious webpage may be enough to trigger an attack.
Below, we break down what these vulnerabilities mean and explain how you can better protect yourself.
What Apple says about the zero-day vulnerabilities
The two vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks.
According to Apple’s security bulletin, the flaws were abused on versions of iOS released before iOS 26, and the attacks were limited to “specific targeted individuals.”
CVE-2025-43529 is a WebKit use-after-free vulnerability that can lead to arbitrary code execution when a device processes maliciously crafted web content. To put it simply, it allows attackers to run their own code on a device by tricking the browser into mishandling memory.
Apple credited Google’s Threat Analysis Group with discovering this flaw, which is often a strong indicator of nation-state or commercial spyware activity.
The second flaw, CVE-2025-14174, is also a WebKit issue, this time involving memory corruption
While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to fully compromise a device.
Apple says this issue was discovered jointly by Apple and Google’s Threat Analysis Group.
In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild.
That language is important because Apple typically reserves it for situations where attacks have already occurred, not just theoretical risks.
The company says it addressed the bugs through improved memory management and better validation checks, without sharing deeper technical details that could help attackers replicate the exploits.
Devices affected and signs of coordinated disclosure
Apple has released patches across its supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS and visionOS.
According to Apple’s advisory, affected devices include iPhone 11 and newer models, multiple generations of iPad Pro, iPad Air from the third generation onward, the eighth-generation iPad and newer and the iPad mini starting with the fifth generation.
This covers the vast majority of iPhones and iPads still in active use today.
Apple has patched the flaws across its entire ecosystem. Fixes are available in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2 and Safari 26.2. Because Apple requires all iOS browsers to use WebKit under the hood, the same underlying issue also affected Chrome on iOS.
6 steps you can take to protect yourself from such vulnerabilities
Here are six practical steps you can take to stay safe, especially in light of highly targeted zero-day attacks like this.
1) Install updates as soon as they drop
This sounds obvious, but it matters more than anything else. Zero-day attacks rely on people running outdated software.
If Apple ships an emergency update, install it the same day if you can. Delaying updates is often the only window attackers need. If you tend to forget about updates, let your devices handle them for you. Enable automatic updates for iOS, iPadOS, macOS and Safari. That way, you are protected even if you miss the news or are traveling.
2) Be careful with links, even from people you know
Most WebKit exploits start with malicious web content. Avoid tapping on random links sent over SMS, WhatsApp, Telegram or email unless you are expecting them. If something feels off, open the site later by typing the address yourself.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices.
This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
3) Use a lockdown-style browsing setup
If you are a journalist, an activist or someone who deals with sensitive information, consider reducing your attack surface.
Use Safari only, avoid unnecessary browser extensions, and limit how often you open links inside messaging apps.
4) Turn on Lockdown Mode if you feel at risk
Apple’s Lockdown Mode is designed specifically for targeted attacks. It restricts certain web technologies, blocks most message attachments, and limits attack vectors commonly used by spyware. It is not for everyone, but it exists for situations like this.
5) Reduce your exposed personal data
Targeted attacks often start with profiling. The more personal data about you that is floating around online, the easier it is to pick you as a target. Removing data from broker sites and tightening social media privacy settings can lower your visibility.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy.
These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet.
By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
6) Pay attention to unusual device behavior
Unexpected crashes, overheating, sudden battery drain or Safari closing on its own can sometimes be warning signs. These do not automatically mean your device is compromised. However, if something feels consistently wrong, updating immediately and resetting the device is a smart move.
Kurt’s key takeaway
Apple has not shared details about who was targeted or how the attacks were delivered. However, the pattern fits closely with past spyware campaigns that focused on journalists, activists, political figures and others of interest to surveillance operators.
With these patches, Apple has now fixed seven zero-day vulnerabilities that were exploited in the wild in 2025 alone.
That includes flaws disclosed earlier this year and a backported fix in September for older devices.
