Apple Releases Critical Security Updates to Address Actively Exploited Zero-Day Vulnerabilities in iOS and iPadOS
Apple has recently issued urgent security updates to address two critical zero-day vulnerabilities in its WebKit browser engine, which have been actively exploited in sophisticated attacks targeting specific iPhone users. These vulnerabilities, identified as CVE-2025-43529 and CVE-2025-14174, pose significant risks to users operating devices on iOS versions prior to 26.
Details of the Vulnerabilities:
– CVE-2025-43529: This vulnerability is a use-after-free issue within WebKit, the engine that powers Safari and other applications. Exploitation of this flaw allows attackers to execute arbitrary code on the affected device by enticing users to visit maliciously crafted web content. The vulnerability was discovered by Google’s Threat Analysis Group (TAG), highlighting its severity and the potential for widespread exploitation.
– CVE-2025-14174: This is a related memory corruption issue within WebKit. Similar to CVE-2025-43529, it can be exploited through malicious web content, leading to unauthorized code execution. The discovery of this vulnerability is credited to both Apple and Google TAG, indicating a collaborative effort to identify and mitigate such critical security flaws.
Affected Devices:
The vulnerabilities impact a range of Apple devices, including:
– iPhone 11 and later models
– iPad Pro 12.9-inch (3rd generation and later)
– iPad Pro 11-inch (1st generation and later)
– iPad Air (3rd generation and later)
– iPad (8th generation and later)
– iPad mini (5th generation and later)
Additional Security Fixes:
In addition to addressing the aforementioned zero-day vulnerabilities, Apple has resolved over 30 other security issues across various components. Notable fixes include:
– Kernel Vulnerability (CVE-2025-46285): An integer overflow issue in the Kernel that could allow attackers to escalate privileges to root. This vulnerability was discovered by researchers from Alibaba Group.
– Screen Time Vulnerabilities (CVE-2025-46277 and CVE-2025-43538): Flaws in the Screen Time feature that could expose Safari browsing history or other sensitive user data. These issues were identified by security researchers Kirin (@Pwnrin) and others.
– WebKit Vulnerabilities: Multiple issues such as type confusion, buffer overflows, and crashes (e.g., CVE-2025-43541, CVE-2025-43501) have been addressed to enhance the security and stability of the WebKit engine.
– Open-Source Component Fixes: Vulnerabilities in open-source components like libarchive (CVE-2025-5918) and curl (CVE-2024-7264, CVE-2025-9086) have also been patched to prevent potential exploitation.
Recommendations for Users:
Given the active exploitation of these vulnerabilities, it is imperative for users to update their devices immediately. To do so:
1. Navigate to Settings on your device.
2. Tap on General.
3. Select Software Update.
4. Follow the on-screen instructions to download and install iOS 26.2 or iPadOS 26.2.
Prompt installation of these updates is crucial to protect your device from potential attacks that could compromise personal data and device functionality.
Context of the Exploitation:
The active exploitation of these vulnerabilities aligns with patterns observed in previous targeted spyware attacks. While Apple has not disclosed specific details about the attackers, the collaboration with Google’s Threat Analysis Group suggests that these exploits may be associated with nation-state-level threats. Such sophisticated attacks often target individuals with high-value information, emphasizing the importance of maintaining up-to-date security measures.
Conclusion:
The discovery and active exploitation of these zero-day vulnerabilities underscore the persistent threats facing digital devices and the importance of timely security updates. Appleās swift response in releasing patches highlights the company’s commitment to user security. Users are strongly encouraged to install the latest updates without delay to safeguard their devices against potential exploits.
