Apple Patches Dual iOS Zero-Days Exploited in Targeted Attacks Against iPhone Users

Apple released iOS 26.2 and iPadOS 26.2 on December 12, 2025, addressing two actively exploited zero-day vulnerabilities (CVE-2025-43529 and CVE-2025-14174) within WebKit, the engine powering Safari and many iOS applications. These vulnerabilities were exploited in highly targeted attacks against specific iPhone users, prompting urgent security updates. The issues were discovered collaboratively by Google’s Threat Analysis Group (TAG) and Apple’s own security team, indicating a sophisticated threat actor behind the campaign.

Severity: High

Vulnerability Details

• CVE-2025-43529: WebKit Use-After-Free
  • Component: WebKit
  • Impact: Arbitrary code execution
  • Description: This flaw stems from a use-after-free memory management error when handling maliciously crafted web content. Attackers could exploit this by luring victims to a compromised or malicious website, triggering remote code execution within the browser’s rendering process.
  • Exploitation: Apple confirmed this zero-day was exploited in targeted attacks against individuals using iOS versions prior to 26.0.
• CVE-2025-14174: WebKit Memory Corruption
  • Component: WebKit
  • Impact: Arbitrary code execution
  • Description: A memory corruption vulnerability caused by improper validation of object references during rendering operations. Successful exploitation could enable attackers to execute arbitrary code in the context of the WebKit process.
  • Exploitation: Reported to have been used in the same targeted attack campaign as CVE-2025-43529.
• Affected Devices
  • iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
• Attack Campaign Context
  • Threat Type: Zero-click or drive-by compromise via Safari.
  • Attack Vectors: Maliciously crafted web pages, possibly embedded in spear-phishing or watering-hole attacks.
  • Victim Profile: High-risk individuals such as journalists, policy researchers, and political figures — based on TAG’s prior reporting on similar iOS exploitation patterns.
  • Attribution: Although Apple and Google have not publicly named a specific group, the level of sophistication aligns with nation-state or advanced commercial spyware operators.

Recommendations

1. iPhone and iPad users must update immediately to iOS/iPadOS 26.2 or later. Prioritize updates for high-risk users (executives, journalists, diplomats, political figures).
2. Enforce MDM compliance policies to block outdated devices from accessing corporate networks.
3. Disable JavaScript execution for untrusted sites via Screen Time → Content Restrictions or MDM policy.
4. Educate users about drive-by compromise and malicious link exposure in messages and social media.
5. Avoid clicking on links from unsolicited sources, especially via SMS, iMessage, or email.

Source:

• https://support.apple.com/en-us/125884

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.