NEWYou can now listen to Fox News articles!
Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers have actively exploited in highly targeted attacks.
The company described this activity as a “highly sophisticated attack” targeting specific individuals. Although Apple has not identified the attackers or victims, the limited scope strongly suggests spyware-style operations rather than widespread cybercrime.
Both flaws affect WebKit, the browser engine behind Safari and all browsers on iOS. The risk is therefore significant. In some cases, simply visiting a malicious web page can be enough to trigger an attack.
Below, we explain what these vulnerabilities mean and explain how you can better protect yourself.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM bulletin.
Apple has issued emergency updates after confirming that two WebKit zero-day vulnerabilities were being actively exploited in targeted attacks. (Reuters/Thomas Peter/File photo)
New iPhone scam tricks owners into giving away their phones
What Apple says about zero-day vulnerabilities
The two vulnerabilities are identified as CVE-2025-43529 and CVE-2025-14174, and Apple has confirmed that both were exploited in the same real-world attacks. According to Apple’s security bulletin, the flaws were exploited on versions of iOS released before iOS 26, and the attacks were limited to “specific targeted individuals.”
CVE-2025-43529 is a use-after-free vulnerability in WebKit that can lead to arbitrary code execution when a device processes maliciously crafted web content. Simply put, this allows attackers to run their own code on a device by tricking the browser into mismanaging memory. Apple credited Google’s threat analysis group for discovering the flaw, which is often a strong indicator of spyware activity at a nation-state or commercial level.
The second flaw, CVE-2025-14174, is also a WebKit issue, this time involving memory corruption. While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to completely compromise a device. Apple says this issue was discovered jointly by Apple and Google’s threat analysis group.
In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild. This language is important because Apple generally reserves it for situations where attacks have already occurred, not just theoretical risks. The company claims to have fixed the bugs through improved memory management and better validation checks, without sharing deeper technical details that could help attackers reproduce the exploits.
Affected devices and signs of coordinated disclosure
Apple has released fixes for its supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS, and visionOS.
According to Apple’s notice, affected devices include the iPhone 11 and newer models, multiple generations of iPad Pro, iPad Air from the third generation, the eighth generation iPad and newer, and the iPad mini from the fifth generation. This covers the vast majority of iPhones and iPads still in active use today.
Apple has fixed flaws across its entire ecosystem. The fixes are available in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. Since Apple requires all iOS browsers to use WebKit under the hood, the same underlying issue has also affected Chrome on iOS.
6 steps you can take to protect yourself from such vulnerabilities
Here are six practical steps you can take to stay safe, especially in light of highly targeted zero-day attacks like this one.
REAL APPLE SUPPORT EMAILS USED IN NEW PHISHING SCAM
Since WebKit powers Safari and all iOS browsers, even one malicious web page can be enough to put unpatched devices at risk. (Jakub Porzycki/NurPhoto via Getty Images)
1) Install updates as soon as they are released
This seems obvious, but it’s more important than anything else. Zero-day attacks rely on people running outdated software. If Apple sends an emergency update, install it the same day if you can. Delaying updates is often the only window attackers need. If you tend to forget about updates, let your devices handle them for you. Enable automatic updates for iOS, iPadOS, macOS and Safari. This way you are protected even if you miss the news or travel.
2) Be careful with links, even those from people you know
Most WebKit exploits start with malicious web content. Avoid tapping random links sent via SMS, WhatsApp, Telegram or email unless you expect them. If something goes wrong, open the site later by typing in the address yourself.
The best way to protect yourself from malicious links that install malware, potentially accessing your private information, is to install antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware scams, protecting your personal information and digital assets.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
3) Use a lock-style navigation setup
If you are a journalist, activist, or someone who deals with sensitive information, consider reducing your attack surface. Use only Safari, avoid unnecessary browser extensions, and limit how often you open links in messaging apps.
4) Activate lockdown mode if you feel unsafe
Apple’s Lockdown mode is specifically designed for targeted attacks. It restricts certain web technologies, blocks most message attachments, and limits attack vectors commonly used by spyware. It’s not for everyone, but it exists for situations like this.
5) Reduce your exposed personal data
Targeted attacks often start with profiling. The more personal data about you circulating online, the easier it is to target you. Removing data from broker sites and boosting privacy settings on social media can reduce your visibility.
Although no service can guarantee the complete removal of your data from the Internet, a data deletion service is definitely a wise choice. They’re not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information across hundreds of websites. This is what gives me peace of mind and has proven to be the most effective way to erase your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data deletion services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free analysis to find out if your personal information is already available on the web: Cyberguy.com.
Apple urges users to install the latest updates, especially those who may face higher-risk targeted threats. (Cheng Xin/Getty Images)
6) Pay attention to unusual device behavior
Unexpected crashes, overheating, sudden battery drain, or Safari closing spontaneously can sometimes be warning signs. This does not automatically mean your device is compromised. However, if something is still wrong, immediately updating and resetting the device is a wise decision.
Kurt’s key point
Apple did not share details about who was targeted or how the attacks were carried out. However, this trend closely matches past spyware campaigns targeting journalists, activists, political figures and others of interest to surveillance operators. With these patches, Apple has now fixed seven zero-day vulnerabilities that were wildly exploited in 2025 alone. This includes flaws revealed earlier this year and a patch backported in September for older devices.
Have you already installed the latest iOS or iPadOS update, or are you still delaying it? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM bulletin.
Copyright 2025 CyberGuy.com. All rights reserved.
