Apple patches two zero-day flaws used in targeted attacks

The company described the activity as an "extremely sophisticated attack" aimed at specific individuals. Although Apple did not identify the attackers or victims, the limited scope strongly suggests spyware-style operations rather than widespread cybercrime.

Both flaws affect WebKit, the browser engine behind Safari and all browsers on iOS. As a result, the risk is significant. In some cases, simply visiting a malicious webpage may be enough to trigger an attack.

Below, we break down what these vulnerabilities mean and explain how you can better protect yourself.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

The two vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks. According to Apple's security bulletin, the flaws were abused on versions of iOS released before iOS 26, and the attacks were limited to "specific targeted individuals."

CVE-2025-43529 is a WebKit use-after-free vulnerability that can lead to arbitrary code execution when a device processes maliciously crafted web content. To put it simply, it allows attackers to run their own code on a device by tricking the browser into mishandling memory. Apple credited Google's Threat Analysis Group with discovering this flaw, which is often a strong indicator of nation-state or commercial spyware activity.

The second flaw, CVE-2025-14174, is also a WebKit issue, this time involving memory corruption. While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to fully compromise a device. Apple says this issue was discovered jointly by Apple and Google's Threat Analysis Group.

In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild. That language is important because Apple typically reserves it for situations where attacks have already occurred, not just theoretical risks. The company says it addressed the bugs through improved memory management and better validation checks, without sharing deeper technical details that could help attackers replicate the exploits.

According to Apple's advisory, affected devices include iPhone 11 and newer models, multiple generations of iPad Pro, iPad Air from the third generation onward, the eighth-generation iPad and newer and the iPad mini starting with the fifth generation. This covers the vast majority of iPhones and iPads still in active use today.

Apple has patched the flaws across its entire ecosystem. Fixes are available in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2 and Safari 26.2. Because Apple requires all iOS browsers to use WebKit under the hood, the same underlying issue also affected Chrome on iOS.

Here are six practical steps you can take to stay safe, especially in light of highly targeted zero-day attacks like this.

This sounds obvious, but it matters more than anything else. Zero-day attacks rely on people running outdated software. If Apple ships an emergency update, install it the same day if you can. Delaying updates is often the only window attackers need. If you tend to forget about updates, let your devices handle them for you. Enable automatic updates for iOS, iPadOS, macOS and Safari. That way, you are protected even if you miss the news or are traveling.

Most WebKit exploits start with malicious web content. Avoid tapping on random links sent over SMS, WhatsApp, Telegram or email unless you are expecting them. If something feels off, open the site later by typing the address yourself.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.

Apple's Lockdown Mode is designed specifically for targeted attacks. It restricts certain web technologies, blocks most message attachments, and limits attack vectors commonly used by spyware. It is not for everyone, but it exists for situations like this.

Targeted attacks often start with profiling. The more personal data about you that is floating around online, the easier it is to pick you as a target. Removing data from broker sites and tightening social media privacy settings can lower your visibility.

Check out my top picks for data removal services, and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Apple has not shared details about who was targeted or how the attacks were delivered. However, the pattern fits closely with past spyware campaigns that focused on journalists, activists, political figures and others of interest to surveillance operators. With these patches, Apple has now fixed seven zero-day vulnerabilities that were exploited in the wild in 2025 alone. That includes flaws disclosed earlier this year and a backported fix in September for older devices.

Sign up for my FREE CyberGuy Report Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

Copyright 2025 CyberGuy.com. All rights reserved.