Urgent: Apple Patches Two Critical WebKit Zero-Days Under Active Exploitation Against High-Risk Targets

Apple has issued an urgent security intervention for iPhone and iPad users, releasing patches for two critical zero-day vulnerabilities in the WebKit browser engine. In a concerning disclosure, the tech giant confirmed that both flaws are currently being exploited in the wild, facilitating “extremely sophisticated” attacks against high-risk targets.

The vulnerabilities, tracked as CVE-2025-43529 and CVE-2025-14174, allow attackers to execute malicious code simply by tricking a victim into loading a web page.

Both vulnerabilities reside in WebKit, the engine that powers Safari and renders web content across the iOS ecosystem. Because WebKit is central to how the device displays information, the attack surface is vast. An attacker does not need physical access to the device; processing “maliciously crafted web content”—such as a compromised website or a malicious ad—is enough to trigger the exploit.

Apple’s advisory for both bugs uses identical, alarming language regarding their active exploitation:

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

This specific phrasing is typically reserved for state-sponsored mercenary spyware campaigns, where high-value targets such as journalists, diplomats, and dissidents are singled out.

The two flaws exploit different weaknesses in how the browser handles memory:

• CVE-2025-43529 (Use-After-Free): Discovered by the Google Threat Analysis Group (TAG), this vulnerability involves a “use-after-free” error. In simple terms, the program attempts to use memory after it has been cleared, which hackers can manipulate to run arbitrary code. Apple addressed this by improving memory management (WebKit Bugzilla: 302502).
• CVE-2025-14174 (Memory Corruption): Credited to both Apple and Google TAG, this issue allows for memory corruption, a condition that can crash a system or open a backdoor for attackers. It was patched with improved input validation (WebKit Bugzilla: 303614).

The vulnerability affects a broad range of modern Apple mobile hardware. If you own any of the following, your device is susceptible until updated:

• iPhone: iPhone 11 and later
• iPad Pro: 12.9-inch (3rd gen+), 11-inch (1st gen+)
• iPad Air: 3rd gen and later
• iPad: 8th gen and later
• iPad mini: 5th gen and later

Now that the patches are public, other cybercriminal groups may attempt to reverse-engineer the fixes to create their own exploits for broader attacks.

Users are strongly advised to update to iOS 26 (or the latest available version provided in your Settings) immediately.

Related Posts:

• Apple Patches Three Zero-Day Security Vulnerabilities Exploited in the Wild
• Urgent Firefox Alert: Critical Memory Corruption Flaws (CVSS 9.8) Allow Remote Code Execution
• CVE-2025-24201: Apple Issues Emergency Patches for Actively Exploited Zero-Day Vulnerability
• Microsoft releases January Patch Tuesday to fix 56 security issues