Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," reads Apple's security bulletin.
CVE-2025-43529 is a WebKit use-after-free remote code execution flaw that can be exploited by processing maliciously crafted web content. Apple says the flaw was discovered by Google’s Threat Analysis Group.
CVE-2025-14174 is a WebKit memory corruption flaw that could lead to memory corruption. Apple says the flaw was discovered by both Apple and Google’s Threat Analysis Group.
Devices impacted by both flaws include:
iPhone 11 and later
iPad Pro 12.9-inch (3rd generation and later)
iPad Pro 11-inch (1st generation and later)
iPad Air (3rd generation and later)
... continue reading