Apple Addresses Critical Zero-Day Vulnerabilities Exploited in Targeted iPhone Attacks
Apple has recently released iOS 26.2 and iPadOS 26.2 updates to address two critical zero-day vulnerabilities in the WebKit framework, which were actively exploited in sophisticated attacks targeting specific iPhone users running iOS versions prior to 26. ([cybersecuritynews.com](https://cybersecuritynews.com/apple-0-day-vulnerabilities-exploited-2/?utm_source=openai))
Understanding the Zero-Day Vulnerabilities
The two vulnerabilities, identified as CVE-2025-43529 and CVE-2025-14174, reside within WebKit, the engine powering Safari and other iOS applications.
– CVE-2025-43529: This is a use-after-free vulnerability that allows arbitrary code execution when processing malicious web content. It was discovered by Google’s Threat Analysis Group.
– CVE-2025-14174: A memory corruption issue that can be exploited through crafted web content, potentially leading to unexpected application termination or arbitrary code execution. This flaw was identified by both Apple and Google’s Threat Analysis Group.
Both vulnerabilities have been linked to targeted spyware campaigns, emphasizing the need for immediate attention. ([cybersecuritynews.com](https://cybersecuritynews.com/apple-0-day-vulnerabilities-exploited-2/?utm_source=openai))
Additional Security Fixes
Beyond these zero-day vulnerabilities, Apple has addressed over 30 other security issues across various system components, including the Kernel, Foundation, Screen Time, and curl. Notable fixes include:
– Kernel Vulnerability (CVE-2025-46285): An integer overflow that could allow an application to execute arbitrary code with kernel privileges. This issue was reported by researchers from Alibaba Group.
– Screen Time Vulnerabilities (CVE-2025-46277, CVE-2025-43538): Flaws that could allow unauthorized access to Safari browsing history or sensitive user data.
– WebKit Issues: Multiple vulnerabilities, such as type confusion and buffer overflows, which could lead to arbitrary code execution or application crashes.
Additionally, Apple addressed open-source vulnerabilities in libarchive (CVE-2025-5918) and curl (CVE-2024-7264, CVE-2025-9086).
Devices Affected and Recommended Actions
The vulnerabilities impact a range of devices, including:
– iPhone 11 and later models
– iPad Pro 12.9-inch (3rd generation and later)
– iPad Pro 11-inch (1st generation and later)
– iPad Air (3rd generation and later)
– iPad (8th generation and later)
– iPad mini (5th generation and later)
Users are strongly advised to update their devices immediately to mitigate potential risks. To update:
1. Go to Settings.
2. Select General.
3. Tap on Software Update.
4. Follow the on-screen instructions to download and install the update.
Implications of the Exploited Vulnerabilities
The exploitation of these zero-day vulnerabilities underscores the persistent threats faced by users, especially those targeted by sophisticated attackers. The collaboration between Apple and Google’s Threat Analysis Group highlights the severity of these issues and the importance of timely updates.
Conclusion
Apple’s swift response to these vulnerabilities demonstrates its commitment to user security. However, the responsibility also lies with users to ensure their devices are updated promptly. Staying vigilant and proactive is crucial in the ever-evolving landscape of cybersecurity threats.
