Apple Releases Emergency Patch For Two Zero-Day Flaws Used In Highly Targeted Attacks - LinkedIn

Apple has issued urgent security updates to address two critical zero-day vulnerabilities that have been exploited in sophisticated real-world attacks targeting specific individuals, the company confirmed this week. The patches are part of a broader emergency update that spans iOS, iPadOS, macOS, watchOS, tvOS, and Apple’s Safari browser. The flaws, tracked as CVE-2025-43529 and CVE-2025-14174, reside in WebKit, the browser engine that powers Safari and underlies web content in many Apple apps. Because WebKit is deeply integrated into device operations, attackers could exploit these weaknesses simply by luring users to maliciously crafted web content — without any interaction beyond loading a webpage. Description of the Vulnerabilities According to Apple, the two zero-days affect memory handling in WebKit: CVE-2025-43529 is a use-after-free error — a class of flaw where software tries to use memory after it has been freed, offering attackers an entry point to execute arbitrary code. This defect was identified by Google’s Threat Analysis Group, a team focused on uncovering sophisticated threats. CVE-2025-14174 involves memory corruption. This vulnerability, attributed to both Apple and Google TAG researchers, could allow crafted content to destabilise device memory, potentially leading to exploitation. Apple’s official security bulletin states that both flaws “may have been exploited in an extremely sophisticated attack against specific targeted individuals” on devices running versions of iOS prior to the latest releases. Wide Range of Affected Devices The vulnerabilities affect a broad swath of Apple’s mobile hardware, including: iPhone 11 and later iPad Pro models (12.9-inch 3rd gen+, 11-inch 1st gen+) iPad Air (3rd gen and later) iPad (8th gen and later) iPad mini (5th gen and later) To mitigate the threat, Apple has released patches in the following software versions: iOS 18.7.3, iPadOS 18.7.3, macOS Tahoe 26.2, OS 26.2 (for Apple Watch, tvOS, visionOS), and Safari 26.2. Recommended by LinkedIn Apple Warns of Three 0-Day Vulnerabilities Actively… SAYEED SHAZIA 11 months ago Apple Releases Emergency Security Updates For Actively… The Cyber Security Hub™ 1 year ago Apple Releases Important Updates for Zero-Day Flaws… Stefan E. 2 years ago Coordinated Disclosure and Broader Industry Response This week’s update follows nearly concurrent action by Google, which patched a related zero-day in its Chrome browser originally listed as bug 466192044 before being tied to CVE-2025-14174 — underscoring coordinated disclosure between the two tech giants and a shared concern over active exploitation. Security experts note that the involvement of Google’s Threat Analysis Group — known for tracking state-linked actors — suggests these attacks may resemble other high-precision surveillance campaigns seen in recent years, in which spyware is deployed against diplomats, journalists, activists, or corporate executives rather than the general public. Not an Isolated Incident Apple’s response this week brings the total number of zero-day vulnerabilities patched in 2025 to at least seven, including earlier WebKit flaws and other high-risk bugs affecting core system components. These include CVE-2025-24085 in January, multiple WebKit issues in early spring, and a separate zero-day backported for older devices running iOS 15 and 16 in September. Cybersecurity analysts say the frequency and sophistication of these incidents highlight a broader — and growing — trend of targeted iOS attacks. They point to past campaigns such as Operation Triangulation, a complex iPhone exploit chain first exposed in 2023 that used multiple zero-day bugs to deploy spyware and remained undetected for months. Although not directly connected to the current vulnerabilities, such past incidents underscore how advanced threat actors operate against mobile platforms. What Users Should Do Now While Apple indicates these zero-days were primarily used in targeted attacks, it is strongly advised that all users install the latest updates immediately to block potential exploitation and prevent emerging threats from taking advantage of similar flaws. To update, users can navigate to Settings > General > Software Update on iPhone and iPad devices, or use System Preferences on macOS. For older devices that cannot upgrade to the newest OS versions, Apple typically offers standalone security patches where possible Download The Ultimate NICS2 Compliance Self Assessment Toolkit 💡 Learn how to discover and remediate hidden risks before AI agents exploit them