Apple has pushed out emergency updates for iPhone, iPad, Mac, Apple Watch, Apple TV and Safari to close two zero‑day vulnerabilities being exploited in a highly targeted campaign. The company says that the exploits were used against “specific targeted individuals,” indicating a precision operation rather than broad untargeted malware.
The vulnerabilities are in the WebKit, the browser engine across both Safari and every third‑party web browser on iOS and iPadOS as well. Apple confirmed limited use in the wild and recommended users update as soon as possible.
What Apple Fixed in the Emergency Security Updates
One of those bugs (CVE-2025-43529) permits remote code execution when handling malicious web content. Google’s Threat Analysis Group (TAG) is credited by Apple with catching the oversight. A second bug, CVE-2025-14174, is another WebKit bug that could result in memory corruption; Apple writes that it was discovered through joint work between its own security engineers and TAG.
Patches arrive in iOS 26.2 and iPadOS 26.2 for supported devices, with the same changes hitting versions iOS 18.7.3 and iPadOS 18.7.3 for devices left on an alternate support track.
macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2 and Safari 26.2 are other updates also available to download.
Apple didn’t share any technical indicators or exploit chains, a typical practice while attacks are still ongoing. But the participation of TAG — Google’s team dedicated to tracking state‑aligned threats — hammers home the sensitivity and presumably high‑value targets at play in the campaign.
Who Is Affected by the WebKit Zero-Day Exploits
Hardware affected, by independent reporting, is iPhone 11 up; iPad Pro 12.9‑inch (3rd generation and later) down and including 11‑inch (1st generation and later); iPad Air (3rd generation and later); iPad (8th generation and later); and iPad mini (5th generation onwards). The exploits seemed to target devices that ran iOS 26 or earlier, Apple said.
Though Apple mentions “specific targeted individuals,” these types of operations have historically zeroed in on journalists, dissidents, lawyers and enterprise executives. Previous iOS campaigns — including FORCEDENTRY and BLASTPASS, reported by Citizen Lab and Amnesty International’s Security Lab — have used zero‑click or near zero‑click exploits employing messaging or browsing capabilities.
Why WebKit Bugs Matter Across Apple Platforms
All browsers on iOS and iPadOS must use WebKit, so a bug in the engine can have an impact on users regardless of whether they browse through Safari, Chrome, Firefox or any other app. WebKit is also used to render embedded web views in apps like Mail and the App Store, increasing the potential attack surface outside of traditional browsing.
These WebKit vulnerabilities could lead to drive‑by compromise — where you don’t even need to click on a malicious link or download any rogue files.
For that reason, it is a popular target of advanced threat actors. Google’s TAG has repeatedly warned that commercial spyware vendors and government‑backed groups “expend significant effort to develop reliable WebKit exploits based on large code bases” due to their wide penetration scope with users.
Chrome Patches May Be Linked but Not Confirmed
Google also rolled in several recent Chrome security fixes, notably one bug that it claimed had been actively exploited. Coverage points out the cooperation between credited teams — Apple’s security engineering team and Google’s TAG — while there is no indication of a direct link for the Chrome issue with Apple’s WebKit zero‑days. Yet the timing shows how cross‑vendor collaboration is now closing the window in which attackers can take such techniques and apply them elsewhere.
What to Do Now: Update Devices and Enable Protections
Update immediately and consider additional hardening steps:
- If you’re on an iPhone or iPad, head to Settings > General > Software Update and get the current version, or turn on Automatic Updates.
- On Mac, navigate to System Settings > General > Software Update.
- Update Safari separately if your Mac or iPad is still on an older release branch.
- High-risk users may want to consider Lockdown Mode (Settings > Privacy & Security > Lockdown Mode on iOS/iPadOS/macOS).
- Enable MDM to enforce minimum OS versions, keep an eye on users working with highly targeted information or who are at high risk from travel, and look for unusual browser or WebKit child processes in endpoint telemetry.
The Bigger Picture on Cross‑Vendor Security Response
The dual‑track release — patching its newest platforms and older supported product lines both — shows Apple is placing more priority on closing as many attackable windows as possible across its vast installed base. It’s also illustrative of a larger industry trend: when one browser engine or messaging stack gets drilled, the knock‑on effects can nudge into rapid, coordinated patching by multiple vendors.
For most people, the fix is simple: update and move on. This episode is just one more reminder for those in the crosshairs of advanced attackers that keeping updated, hardening devices and practicing good ergonomics around browsing and messaging continue to be an essential part of staying ahead of the next zero‑day chain.
