Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” reads Apple’s security bulletin.
CVE-2025-43529 is a WebKit use-after-free remote code execution flaw that can be exploited by processing maliciously crafted web content. Apple says the flaw was discovered by Google’s Threat Analysis Group.
CVE-2025-14174 is a WebKit memory corruption flaw that could lead to memory corruption. Apple says the flaw was discovered by both Apple and Google’s Threat Analysis Group.
Devices impacted by both flaws include:
-
iPhone 11 and later
-
iPad Pro 12.9-inch (3rd generation and later)
-
iPad Pro 11-inch (1st generation and later)
-
iPad Air (3rd generation and later)
-
iPad (8th generation and later)
-
iPad mini (5th generation and later)
Apple has fixed the flaws in OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2.
On Wednesday, Google fixed a mysterious zero-day flaw in Google Chrome, initially labeling it as “[N/A][466192044] High: Under coordination.”
However, Google has now updated the advisory to identify the bug as “CVE-2025-14174: Out-of-bounds memory access in ANGLE,” which is the same CVE fixed by Apple, indicating coordinated disclosure between the two companies.
Apple has not disclosed technical details about the attacks beyond saying they targeted individuals running versions of iOS before iOS 26.
As both flaws affect WebKit, which Google Chrome uses on iOS, the activity is consistent with highly targeted spyware attacks.
While these flaws were only exploited in targeted attacks, users are strongly advised to install the latest security updates promptly to reduce the risk of ongoing exploitation.
With these fixes, Apple has now patched seven zero-day vulnerabilities that were exploited in the wild in 2025, beginning with CVE-2025-24085 in January, CVE-2025-24200 in February, CVE-2025-24201 in March, and two more in April (CVE-2025-31200 and CVE-2025-31201).
In September, Apple also backported a fix for a zero-day tracked as CVE-2025-43300 to older devices running iOS 15.8.5 / 16.7.12 and iPadOS 15.8.5 / 16.7.12.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.