- Apple Patches Two WebKit Zero-Days (CVE-2025-43529 and CVE-2025-14174) Used in Highly Targeted Attack
- Google TAG and Apple jointly discovered flaws, and Chrome received a parallel fix
- The updates cover iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari, and users are urged to apply patches quickly.
Apple fixed two zero-day vulnerabilities exploited in an “extremely sophisticated attack” that, all things considered, could have been a cyberespionage attack against one or several high-profile individuals.
In a new security advisory, Apple said it has implemented a patch for a freely usable remote code execution (RCE) vulnerability in WebKit, as well as a WebKit memory corruption flaw.
WebKit is Apple’s browser engine responsible for rendering web pages. It powers Safari on macOS, iOS, and iPadOS, and is used by all browsers on iPhone and iPad.
Fixes implemented
The two bugs are now tracked as CVE-2025-43529 and CVE-2025-14174.
“Apple is aware of a report indicating that this issue may have been exploited in an extremely sophisticated attack against targeted individuals in versions of iOS prior to iOS 26,” Apple’s security bulletin says.
What’s interesting is that both bugs were discovered by Google’s Threat Analysis Group (TAG) (Apple also took credit for the second bug), Google’s specialized cybersecurity arm that primarily tracks and monitors state-sponsored threat actors.
It is also curious that, at the same time, Google has fixed the bug with the same identifier (CVE-2025-14174) in Chrome. This suggests that the two companies worked together to mitigate the risk, which is not surprising, but also not that common, and could indicate that the exploit was quite serious.
Devices affected by these flaws include iPhone 11 and later, iPad Pro 12-9 inches (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).
Fixed in OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2.
While the chances of regular people being hit by these flaws are somewhat slim, both companies still suggest that everyone apply the fix as soon as possible.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
