(Credit: Eric Zeman/PCMag)
Apple has rolled out urgent security updates to combat newly emerged zero-day vulnerabilities used in a hacking campaign targeting individual people.
The vulnerabilities may have been exploited in “an extremely sophisticated attack against specific targeted individuals” using versions of iOS prior to iOS 26, according to Apple's security bulletin.
According to cybersecurity website BleepingComputer, which first reported the news, one of the vulnerabilities—dubbed CVE-2025-43529—is a WebKit remote code execution flaw that “can be exploited by processing maliciously crafted web content.” Apple says the flaw was discovered by Google’s Threat Analysis Group. WebKit is the open-source engine that powers Safari, Mail, and the App Store, as well as many other apps on macOS, iOS, and Linux, including Chrome on iOS.
The other vulnerability, CVE-2025-14174, is reportedly another WebKit flaw that could potentially lead to memory corruption if exploited. Apple says this flaw was discovered by Apple and Google’s Threat Analysis Group in partnership.
As per BleepingComputer, devices susceptible to the vulnerabilities include the iPhone 11 and later; the iPad Pro 12.9-inch (3rd generation and later); and the iPad Pro 11-inch (1st generation and later). The iPad Air (3rd generation and later), the iPad (8th generation and later), and the iPad mini (5th generation and later) are also at risk.
Apple said the flaws have been fixed in iOS 26.2 and iPadOS 26.2; iOS 18.7.3 and iPadOS 18.7.3; macOS Tahoe 26.2; tvOS 26.2; watchOS 26.2; visionOS 26.2; and Safari 26.2.
No other information was revealed about the nature of the attack, other than that it appears to have targeted users running versions of iOS prior to iOS 26.
To install the latest security patch on your iPhone or iPad, head to Settings > General > Software Update. Alternatively, enable automatic updates to allow the device to patch itself in the future.
Google has also rolled out patches for vulnerabilities which TechCrunch notes could be connected to Apple's, though this is not verifiable with currently available information. Google released patches for several security bugs in its Chrome browser early this week, saying that one was being actively exploited, but without providing further details. The page was later updated to say the bug was uncovered by a combination of Apple’s security engineering team and Google’s Threat Analysis Group. TechCrunch highlighted that this particular unit of Google’s cybersecurity operations often deals with attacks linked to government-backed hacking groups.