- Apple patches two WebKit zero-days (CVE-2025-43529 and CVE-2025-14174) used in a highly targeted attack
- The bug was jointly disclosed by Google TAG and Apple, with Chrome receiving a parallel fix
- Updates span iOS, iPadOS, macOS, watchOS, tvOS, visionOS and Safari, with users encouraged to patch quickly
Apple patched two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” that, all things considered, could have been a cyber espionage attack against one or a handful of high-profile individuals.
In a new security advisory, Apple said it has deployed a patch for a WebKit remote code execution vulnerability (RCE), as well as a WebKit memory corruption bug.
WebKit is Apple’s browser engine responsible for rendering web pages. It powers Safari on macOS, iOS and iPadOS and is used by all browsers on iPhone and iPad.
Fixes implemented
The two bugs are now tracked as CVE-2025-43529 and CVE-2025-14174.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS prior to iOS 26,” Apple’s security bulletin says.
Interestingly, both bugs were discovered by Google’s Threat Analysis Group (TAG) (Apple also credited itself with the second bug) – Google’s specialized cybersecurity arm, which tracks and monitors primarily state-sponsored threat actors.
It’s also strange that at the same time Google fixed the bug with the same identifier – CVE-2025-14174 – in Chrome. This suggests that the two companies worked together to mitigate the risk, which is not surprising, but also not that common, and could indicate that the exploit was quite serious.
The devices affected by these bugs include iPhone 11 and later, iPad Pro 12-9″ (3rd generation and later), iPad Pro 11″ (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).
It was fixed in OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2.
Although the chances of ordinary people being targeted through these bugs are somewhat slim, both companies still suggest that everyone apply the fix as soon as possible.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
