Apple Issues Emergency Patches for Two Actively Exploited Zero-Day Flaws
SAN FRANCISCO, Calif. — Apple has released urgent security updates to address two zero-day vulnerabilities in its WebKit browser engine that have been actively exploited in highly targeted cyberattacks. The company described the incidents as “extremely sophisticated attacks” aimed at specific individuals, underscoring the serious risk posed to iPhone and iPad users worldwide.
The two critical flaws, tracked as CVE-2025-43529 and CVE-2025-14174, affect WebKit, the core engine behind Safari and all browsers on iOS devices. According to Apple’s security bulletin, these vulnerabilities were exploited on versions of iOS prior to the release of iOS 26, with attackers leveraging maliciously crafted web content to compromise devices.
CVE-2025-43529 is a use-after-free vulnerability that allows arbitrary code execution by tricking the browser into mishandling memory. This flaw was discovered by Google’s Threat Analysis Group, a team known for identifying advanced threats often linked to nation-state or commercial spyware operations. The second flaw, CVE-2025-14174, involves memory corruption and was jointly found by Apple and Google’s Threat Analysis Group. While it does not directly enable code execution, such memory corruption bugs can be chained with other exploits to fully compromise a device.
Apple confirmed that both vulnerabilities have been exploited in the wild, a designation reserved for confirmed active attacks rather than theoretical risks. The limited scope of the attacks suggests spyware-style operations targeting specific individuals rather than widespread cybercrime campaigns.
“These are highly sophisticated attacks aimed at specific targets,” Apple stated in its security update. The company has addressed the flaws through improved memory management and enhanced validation checks but withheld detailed technical information to prevent further exploitation.
Users of affected devices, including iPhones, iPads, Macs, Apple Watches, Apple TVs, and Vision Pro headsets, are strongly urged to install the latest updates immediately to protect against these threats. The patches are available through the standard software update mechanisms.
Security experts emphasize the urgency of applying these updates promptly, as simply visiting a malicious webpage could trigger an attack exploiting these vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued advisories highlighting the active exploitation and recommending immediate patching.
Apple’s swift response and collaboration with Google’s Threat Analysis Group reflect the growing importance of cross-industry cooperation in defending against sophisticated cyber threats. For more information on how to update your devices and stay secure, users can visit Apple’s official security updates page and consult guidance from the Federal Trade Commission on protecting personal information.
As cyberattacks continue to evolve, experts advise users to maintain updated software, exercise caution when browsing unfamiliar websites, and remain vigilant against potential phishing or social engineering attempts. The recent incident serves as a stark reminder of the persistent threats facing mobile device users worldwide.
Leave a Reply