Apple Issues Emergency Security Updates After “Sophisticated” Zero-Day Attacks Target iPhone and iPad Users

Apple has released a major round of emergency security patches after uncovering two zero-day vulnerabilities used in what the company described as an exceptionally sophisticated cyberattack aimed at specific individuals. The flaws, discovered in devices running versions of iOS prior to iOS 26, were actively exploited in the wild, prompting immediate updates across nearly every Apple platform.

The vulnerabilities, both tied to Apple’s WebKit browser engine, were severe enough to allow attackers to execute code remotely or manipulate device memory through malicious web content. WebKit underpins Safari, Mail and the App Store, and also drives browser functionality on all iOS devices, including Chrome and Firefox on iPhone and iPad.

Two Critical WebKit Vulnerabilities Exposed

The first flaw, CVE-2025-43529, is a remote code execution vulnerability that can be triggered simply by viewing maliciously crafted web content. Google’s Threat Analysis Group (TAG) identified the flaw as part of its ongoing investigation into targeted cyberattacks.

The second vulnerability, CVE-2025-14174, involves potential memory corruption in WebKit. It was uncovered jointly by Apple’s security engineering team and Google TAG. This second flaw is believed to be linked to exploitation methods seen in other recent zero-day chains.

While Apple has not disclosed details about the attackers or the victims, the company stated that the campaign appeared to target individual users with highly specialised techniques — a pattern consistent with operations conducted by advanced threat actors, including government-backed spyware groups.

Wide Range of Apple Devices Affected

The list of vulnerable devices includes a broad swath of recent Apple hardware:

• iPhone 11 and later

• iPad Pro 12.9-inch (3rd gen and later)

• iPad Pro 11-inch (1st gen and later)

• iPad Air (3rd gen and later)

• iPad (8th gen and later)

• iPad mini (5th gen and later)

Apple has patched the vulnerabilities in the following updates, now available to users globally:

• iOS 26.2 and iPadOS 26.2

• iOS 18.7.3 and iPadOS 18.7.3

• macOS Tahoe 26.2

• watchOS 26.2

• tvOS 26.2

• visionOS 26.2

• Safari 26.2

Users running earlier versions of iOS or iPadOS are urged to update immediately via Settings > General > Software Update. Apple also advises enabling automatic updates to ensure rapid protection against future exploits.

Possible Links to Chrome Zero-Days

The timing of Apple’s patches aligns with Google’s recent fixes for several Chrome vulnerabilities — including one actively exploited flaw that TechCrunch connected to joint research between Apple’s security team and Google TAG. While there is no confirmed link between the two sets of vulnerabilities, both companies’ coordinated disclosures suggest a larger cross-platform attack surface targeted in the campaign.

Google TAG is known for monitoring government-backed threat actors, raising the likelihood that the zero-day exploits were part of a highly targeted espionage operation rather than broad consumer malware.

A Growing Trend of High-End Targeted Attacks

The incident adds to a growing series of sophisticated cyber campaigns targeting mobile devices, often exploiting browser engines — one of the most complex and widely exposed components across operating systems. Mobile platforms, once considered more secure due to sandboxing and controlled app ecosystems, have increasingly become targets for advanced spyware groups.

With these latest patches, Apple continues its trend of responding rapidly to zero-day threats, but the frequency of such incidents underscores an evolving landscape in which well-resourced attackers continue probing for weaknesses.

For now, the company urges all users to update their devices without delay, as even those not directly targeted may remain vulnerable if running older software. In a world where zero-days are discovered with increasing regularity, staying updated remains one of the simplest — and most critical — defences.

Photo Credit: DepositPhotos.com