Apple has issued critical security patches addressing two actively exploited zero-day vulnerabilities affecting iPhone and iPad devices.
The tech giant confirmed that both flaws were leveraged in extremely sophisticated attacks targeting specific individuals before iOS 26 was released.
Critical WebKit Vulnerabilities Under Active Exploitation
The vulnerabilities, tracked as CVE-2025-43529 and CVE-2025-14174, reside in WebKit, Apple’s browser engine powering Safari and in-app web content rendering.
Google’s Threat Analysis Group discovered both security flaws, highlighting the sophisticated nature of the attacks.
| CVE ID | Component | Vulnerability Type | Exploitation Status |
|---|---|---|---|
| CVE-2025-43529 | WebKit | Use-after-free | Actively exploited |
| CVE-2025-14174 | WebKit | Memory corruption | Actively exploited |
| CVE-2025-46285 | Kernel | Integer overflow | Not known |
| CVE-2025-46288 | App Store | Permissions issue | Not known |
| CVE-2025-46287 | Calling Framework | UI inconsistency | Not known |
| CVE-2025-43539 | AppleJPEG | Memory corruption | Not known |
| CVE-2025-43542 | FaceTime | State management | Not known |
| CVE-2025-43518 | Foundation | Logic issue | Not known |
| CVE-2025-43532 | Foundation | Memory corruption | Not known |
| CVE-2025-46279 | Icons | Permissions issue | Not known |
| CVE-2025-43533 | Multi-Touch | Memory corruption | Not known |
| CVE-2025-43428 | Photos | Configuration issue | Not known |
| CVE-2025-46277 | Screen Time | Logging issue | Not known |
| CVE-2025-43538 | Screen Time | Logging issue | Not known |
| CVE-2025-46276 | Messages | Information disclosure | Not known |
| CVE-2025-46292 | Telephony | Entitlement issue | Not known |
CVE-2025-43529 involves a use-after-free vulnerability that could allow attackers to execute arbitrary code through maliciously crafted web content.
Apple addressed this issue through improved memory management protocols.
The second vulnerability, CVE-2025-14174, centers on memory corruption that could be triggered when processing specially designed web content, which Apple resolved with enhanced validation measures.
The vulnerabilities impact a wide range of Apple devices including iPhone 11 and later models, along with multiple iPad generations.
Specifically, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later are all affected.
Apple’s acknowledgment of active exploitation underscores the critical nature of these vulnerabilities.
The company confirmed these flaws were used in highly targeted attacks against specific individuals, suggesting state-sponsored or advanced persistent threat actors may be involved.
Users of affected devices should immediately update to the latest iOS version to protect against these actively exploited vulnerabilities.
The sophisticated nature of these attacks demonstrates the evolving threat landscape facing mobile device users, particularly high-value targets.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.