Apple has rolled out urgent security updates to combat newly emerged zero-day vulnerabilities used in a hacking campaign targeting individual people.
The vulnerabilities may have been exploited in “an extremely sophisticated attack against specific targeted individuals” using versions of iOS prior to iOS 26, according to Apple’s security bulletin.
According to cybersecurity website BleepingComputer, which first reported the news, one of the vulnerabilities—dubbed CVE-2025-43529—is a WebKit remote code execution flaw that “can be exploited by processing maliciously crafted web content.” Apple says the flaw was discovered by Google’s Threat Analysis Group. WebKit is the open-source engine that powers Safari, Mail, and the App Store, as well as many other apps on macOS, iOS, and Linux, including Chrome on iOS.
The other vulnerability, CVE-2025-14174, is reportedly another WebKit flaw that could potentially lead to memory corruption if exploited. Apple says this flaw was discovered by Apple and Google’s Threat Analysis Group in partnership.
As per BleepingComputer, devices susceptible to the vulnerabilities include the iPhone 11 and later; the iPad Pro 12.9-inch (3rd generation and later); and the iPad Pro 11-inch (1st generation and later). The iPad Air (3rd generation and later), the iPad (8th generation and later), and the iPad mini (5th generation and later) are also at risk.
Apple said the flaws have been fixed in iOS 26.2 and iPadOS 26.2; iOS 18.7.3 and iPadOS 18.7.3; macOS Tahoe 26.2; tvOS 26.2; watchOS 26.2; visionOS 26.2; and Safari 26.2.
No other information was revealed about the nature of the attack, other than that it appears to have targeted users running versions of iOS prior to iOS 26.
Recommended by Our Editors
To install the latest security patch on your iPhone or iPad, head to Settings > General > Software Update. Alternatively, enable automatic updates to allow the device to patch itself in the future.
Google has also rolled out patches for vulnerabilities which News notes could be connected to Apple’s, though this is not verifiable with currently available information. Google released patches for several security bugs in its Chrome browser early this week, saying that one was being actively exploited, but without providing further details. The page was later updated to say the bug was uncovered by a combination of Apple’s security engineering team and Google’s Threat Analysis Group. News highlighted that this particular unit of Google’s cybersecurity operations often deals with attacks linked to government-backed hacking groups.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Experience
I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.
I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.
Read Full Bio
