Apple recently released emergency updates to address two zero-day vulnerabilities, CVE-2025-43529 and CVE-2025-14174, which were actively exploited in what the company described as an “extremely sophisticated attack” targeting specific, select individuals. The two security flaws were issued in response to a single reported exploitation, underscoring the severity of the threat. Apple’s security bulletin explicitly mentioned awareness of a report that this issue may have been exploited against targeted individuals running versions of iOS before iOS 26.
The first vulnerability, CVE-2025-43529, is a WebKit use-after-free remote code execution flaw. This means it could be exploited by an attacker simply processing maliciously crafted web content. The discovery of this significant flaw is credited to Google’s Threat Analysis Group. The second vulnerability, CVE-2025-14174, is a WebKit memory corruption flaw. This type of vulnerability can lead to memory corruption within the device’s operating system. Apple stated that this specific flaw was discovered through a joint effort between Apple and Google’s Threat Analysis Group.
These critical flaws impact a wide array of Apple devices running older software, including models such as the iPhone 11 and later, various generations of iPad Pro and iPad Air, and specific versions of the standard iPad and iPad mini. Apple has successfully fixed both vulnerabilities across its ecosystem with the release of numerous updates, including iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. Older, supported devices also received fixes in iOS 18.7.3 and iPadOS 18.7.3.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Further indicating a coordinated response, Google also fixed a related zero-day flaw in Google Chrome. Initially labeled generically, Google later updated its advisory to identify the bug as CVE-2025-14174, specifically “Out-of-bounds memory access in ANGLE,” confirming it was the same CVE fixed by Apple. Since both vulnerabilities affect WebKit, which is utilized by Google Chrome on iOS, the nature of the exploitation is consistent with highly targeted spyware attacks, although Apple has not released specific technical details beyond confirming the targeting of individuals on older iOS versions.
With these latest fixes, Apple has now patched a total of seven zero-day vulnerabilities that were actively exploited in the wild throughout 2025. This year’s sequence of urgent patches began with a fix in January, followed by two more in February and March, and two additional ones in April. Furthermore, in September, Apple extended a fix for a separate zero-day tracked as CVE-2025-43300 to older devices running iOS 15.8.5 / 16.7.12 and iPadOS 15.8.5 / 16.7.12. Although the recent WebKit flaws were only leveraged in targeted attacks, all users are strongly urged to install the latest security updates immediately to minimize their risk of potential ongoing exploitation.
Source: Apple Fixes Two Zero Day Flaws Used In Sophisticated Attacks