Severity
High
Analysis Summary
Apple has released emergency security updates for iOS 26.2 and iPadOS 26.2 to patch two actively exploited WebKit zero-day vulnerabilities used in highly targeted, sophisticated attacks against specific iPhone users. The flaws, tracked as CVE-2025-43529 and CVE-2025-14174, affect devices running versions prior to iOS 26 and were exploited through malicious web content, a technique commonly associated with spyware-driven surveillance operations. Apple confirmed the issues were used in real-world attacks, indicating a high-threat environment and limited, targeted victim selection rather than mass exploitation.
The most severe flaw, CVE-2025-43529, is a use-after-free vulnerability in WebKit that allows arbitrary code execution when processing specially crafted web content. This vulnerability was discovered by a researcher who is known for tracking nation-state and commercial spyware campaigns. The second zero-day, CVE-2025-14174, is a related memory corruption issue also impacting WebKit, jointly credited to Apple and Google TAG. The linkage of both vulnerabilities to spyware campaigns strongly suggests exploitation by advanced threat actors with significant technical resources.
Beyond the WebKit zero-days, Apple addressed more than 30 additional vulnerabilities across multiple system components. Notably, a Kernel integer overflow vulnerability (CVE-2025-46285) could allow attackers to gain root-level privileges, effectively taking full control of a compromised device. Apple also fixed multiple Screen Time flaws (including CVE-2025-46277 and CVE-2025-43538) that could expose Safari browsing history or sensitive user data, as well as a Messages vulnerability (CVE-2025-46276) that could allow access to private information. Additional WebKit patches resolved type confusion, buffer overflows, and crash conditions, while third-party libraries such as libarchive and curl were updated to remediate known open-source vulnerabilities.
The updates apply to iPhone 11 and later models and a wide range of iPads, including iPad Pro (3rd gen+), iPad Air (3rd gen+), iPad (8th gen+), and iPad mini (5th gen+). Apple strongly advises users to update immediately via Settings → General → Software Update to mitigate the risk of exploitation. While Apple has not disclosed details about the attackers, the involvement of Google TAG and the exploitation pattern aligns with previous nation-state or mercenary spyware operations, reinforcing the critical importance of timely patching for high-risk users and organizations.
Impact
- Gain Access
- Code Execution
Indicators of Compromise
CVE
CVE-2025-43529
CVE-2025-14174
Affected Vendors
Remediation
- Immediately update all affected devices to iOS 26.2 / iPadOS 26.2 via Settings ? General ? Software Update to patch actively exploited zero-day vulnerabilities.
- Enforce automatic security updates on managed and personal devices to reduce exposure to future zero-day exploitation.
- Restrict exposure to untrusted or unknown websites, as the WebKit flaws are triggered via malicious web content.
- Implement Mobile Device Management (MDM) policies to monitor OS versions and block access for non-compliant devices.
- Advise high-risk users (journalists, executives, government staff) to use Lockdown Mode to limit attack surfaces commonly abused by spyware.
- Monitor devices for indicators of compromise (IoCs) associated with WebKit exploitation and spyware behavior.
- Apply the principle of least privilege and review Screen Time, Messages, and Safari permissions to minimize data exposure.
- Maintain regular backup and incident response procedures to quickly recover and investigate suspected compromises.