Apple released patches for two zero-day vulnerabilities affecting WebKit, the browser engine that powers Safari on macOS, iOS, and iPadOS, and is used by all browsers on iPhone and iPad devices. The vulnerabilities, tracked as CVE-2025-14174 and CVE-2025-43529, can both be exploited with maliciously crafted web content, leading to arbitrary code execution. According to Apple, the vulnerabilities were already exploited in what it describes as “…an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” Apple urges its users to upgrade to the latest version of its OS, which implements a fix for the bugs.
What’s Notable and Unique
- Apple’s patch releases coincided with a somewhat vague Google advisory, which, at the time, did not have an assigned CVE. The vulnerability described in Google’s release has since been identified as CVE-2025-14174 and affects Chrome’s graphics engine, ANGLE, on Mac devices.
- Technical details concerning the vulnerabilities and the attacks observed by Apple remain scarce, likely due to Apple and Google wanting to provide enough time for users to patch their devices before widespread exploitation occurs.
- This is the second zero-day Apple has reported this year related to WebKit. In March, CVE-2025-24201 was released, which describes an out-of-bounds write flaw that can allow an attacker to break out of the Web Content sandbox. This vulnerability was also exploited in what Apple described as an “extremely sophisticated” attack.
Analyst Comments
There are conflicting reports as to whether the vulnerabilities were first discovered by Apple’s Security Engineering and Architecture (SEAR) team or Google’s Threat Analysis Group (TAG), but it is clear that the two organizations have been working together to address the issues. This level of collaboration between Apple and Google is rare and speaks to the severity of the flaws and the potential threat to targeted individuals. Given Apple’s language about the attacks and the involvement of Google’s TAG, which generally focuses its efforts on state-sponsored actors, it has been widely speculated that the activity was perpetrated as part of a well-resourced espionage campaign. Regardless of the adversaries behind the attacks reported by Apple, users should follow patching guidance as soon as possible.
Sources
Related Resources
![]()
Max-Severity React2Shell Vulnerability
React2Shell CVE-2025-55182 patch guidance: CVSS 10 flaw in React/Next.js enables unauthenticated RCE. Patch now and monitor suspicious Node.js activity.
Read more![]()
Ransomware Trends & Data Insights: November 2025
Get the latest Ransomware Trends Data Insights November 2025. November saw the dominance of Akira and Qilin, the rise of 18 unique groups, and AI-augmented attacks.
Read more![]()
Operation Endgame: Season 3
Operation Endgame Season 3 takedown disrupts Rhadamanthys, VenomRAT, and Elysium, seizing servers, domains, and millions of stolen credentials.
Read more
