Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers were actively exploiting in highly targeted attacks.
The company described the activity as a “highly sophisticated attack” targeting specific individuals. While Apple has not identified the attackers or victims, the limited scope strongly suggests spyware-like operations and not widespread cybercrime.
Both flaws affect WebKit, the browser engine behind Safari, and all browsers on iOS. The risk is therefore considerable. In some cases, simply visiting a malicious web page may be enough to trigger an attack.
Below we explain what these vulnerabilities mean and how you can better protect yourself.
Sign up for my FREE CyberGuy Report
Get my top tech tips, urgent security alerts, and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
NEW IPHONE SCAM TEMPTS OWNERS TO GIVE AWAY PHONES
What Apple says about the zero-day vulnerabilities
The two vulnerabilities are being tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks. According to Apple’s security bulletin, the flaws were exploited in versions of iOS released before iOS 26, and the attacks were limited to “specific targeted individuals.”
CVE-2025-43529 is a WebKit use-after-free vulnerability that could lead to arbitrary code execution when a device processes maliciously crafted web content. Simply put, it allows attackers to execute their own code on a device by tricking the browser into misusing memory. Apple credited Google’s Threat Analysis Group with discovering this flaw, which is often a strong indicator of national or commercial spyware activity.
The second flaw, CVE-2025-14174, is also a WebKit issue, this time related to memory corruption. Although Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often linked together with other vulnerabilities to completely compromise a device. Apple says this issue was discovered jointly by Apple and Google’s Threat Analysis Group.
In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild. That language is important because Apple typically reserves it for situations where attacks have already occurred, not just for theoretical risks. The company says it addressed the bugs through improved memory management and better validation checks, without sharing deeper technical details that could help attackers replicate the exploits.
Affected devices and signs of coordinated disclosure
Apple has released patches for its supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS, and visionOS.
Per Apple’s advisory, affected devices include the iPhone 11 and later models, multi-generation iPad Pro, iPad Air from third generation, eighth generation iPad and newer, and iPad mini from fifth generation. This includes the vast majority of iPhones and iPads that are still in active use.
Apple has fixed the flaws across its entire ecosystem. Fixes are available in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. Since Apple requires all iOS browsers to use WebKit under the hood, the same underlying issue also affected Chrome on iOS.
6 steps you can take to protect yourself from such vulnerabilities
Here are six practical steps you can take to stay safe, especially in the face of highly targeted zero-day attacks like this.
REAL APPLE SUPPORT EMAILS USED IN NEW PHISHING SCAM
Since WebKit supports Safari and all iOS browsers, even a malicious web page can be enough to compromise unpatched devices. (Jakub Porzycki/NurPhoto via Getty Images)
1) Install updates as soon as they appear
This sounds obvious, but it’s more important than anything. Zero-day attacks rely on people using outdated software. If Apple sends an emergency update, install it the same day if possible. Delaying updates is often the only window attackers need. If you tend to forget about updates, let your devices handle it for you. Enable automatic updates for iOS, iPadOS, macOS, and Safari. This way you are protected, even if you miss the news or are traveling.
2) Be careful with links, even from people you know
Most WebKit exploits start with malicious web content. Avoid tapping random links sent via SMS, WhatsApp, Telegram or email unless you are expecting them. If something is wrong, you can open the site later by typing the address yourself.
The best way to protect yourself from malicious links that install malware and potentially gain access to your private data is to install antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware attacks, keeping your personal data and digital assets safe.
Discover my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
3) Use a lockdown-style browser configuration
If you’re a journalist, activist, or someone who handles sensitive information, consider reducing your attack surface. Use only Safari, avoid unnecessary browser extensions, and limit how often you open links in messaging apps.
4) Enable Lockdown Mode if you feel threatened
Apple’s Lockdown Mode is specifically designed for targeted attacks. It restricts certain web technologies, blocks most message attachments, and limits attack vectors commonly used by spyware. It’s not for everyone, but it exists for situations like this.
5) Reduce your exposed personal data
Targeted attacks often start with profiling. The more personal information about you floating around online, the easier it is to target you. Removing data from broker sites and tightening social media privacy settings can reduce your visibility.
While no service can guarantee the complete deletion of your data from the Internet, a data deletion service is truly a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically removing your personal data from hundreds of websites. It gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers comparing data from breaches to information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data deletion services and get a free scan to find out if your personal data is already on the internet. Go to Cyberguy.com.
Get a free scan to find out if your personal information is already on the internet: Cyberguy.com.
Apple urges users to install the latest updates, especially those who may encounter higher-risk targeted threats. (Cheng Xin/Getty Images)
6) Watch for unusual device behavior
Unexpected crashes, overheating, sudden battery drain, or Safari closing on its own can sometimes be warning signs. These do not automatically mean that your device is affected. However, if there is something persistently wrong, it is a smart move to immediately update and reset the device.
Kurt’s most important takeaway
Apple did not share details about who was targeted or how the attacks were carried out. However, the pattern closely follows previous spyware campaigns that targeted journalists, activists, political figures and others of interest to surveillance operators. With these patches, Apple has now fixed seven zero-day vulnerabilities that were exploited in the wild in 2025 alone. That includes bugs revealed earlier this year and a backport fix in September for older devices.
Have you already installed the latest iOS or iPadOS update, or are you still postponing it? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my top tech tips, urgent security alerts, and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Copyright 2025 CyberGuy.com. All rights reserved.
#Apple #fixes #zeroday #flaws #targeted #attacks