Emergency fixes deployed by Google and Apple after targeted attacks
Pierluigi Paganini
December 13, 2025
Google and Apple issued emergency updates to address zero-day flaws exploited in attacks targeting an unknown number of users.
Apple and Google have both pushed out urgent security updates after uncovering a highly targeted attacks against an unknown number of users. The attacks abused zero‑day vulnerabilities in their software. The campaign appears to involve nation-state actors and commercial spyware vendors, with a focus on specific high‑value individuals rather than mass exploitation.
This week, Google patched several Chrome bugs, including one actively exploited in the wild. The flaw, found by Apple and Google researchers.
Initially, the company did not share technical details, a sign that the underlying operation was still under active investigation. Only later did Google add that the bug had been jointly identified by Apple’s security engineering team and Google’s own Threat Analysis Group, the unit that tracks state-sponsored actors and commercial surveillance vendors. That joint attribution strongly suggests the vulnerability was part of a broader espionage campaign rather than opportunistic cybercrime.
At the same time, Apple released security updates for iPhones, iPads, Macs, and other devices, patching two WebKit bugs, tracked as CVE-2025-14174 and CVE-2025-43529, that are likely actively exploited in targeted, sophisticated attacks on iOS 26 and earlier.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” states the advisory.
Apple and Google did not provide further info on the attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, zero-day)