Apple has released emergency security updates across its entire ecosystem after confirming that two WebKit vulnerabilities were actively exploited in highly targeted attacks. These flaws impacted any Apple device rendering web content, including Safari and every browser on iOS and iPadOS. Anyone running an unpatched device was at risk.
The Vulnerabilities Explained
Apple addressed two critical WebKit flaws:
• CVE 2025 43529
A use after free issue that can lead to arbitrary code execution.
• CVE 2025 14174
A memory corruption bug with a CVSS score of 8.8.
Both vulnerabilities are triggered by maliciously crafted web content. No app installation is required. Simply visiting a compromised page is enough to trigger exploitation.
Why This Is More Serious Than a Typical Browser Bug
Apple confirmed that these vulnerabilities were used in extremely sophisticated attacks. Such wording is rare and strongly suggests activity tied to mercenary spyware developers or nation state level operations.
CVE 2025 14174 is the same flaw patched by Google in Chrome earlier this week. The root cause lies within the ANGLE graphics library shared by both Chrome and WebKit. This indicates cross browser weaponization and a coordinated exploitation trend.
Who Discovered the Flaws
The vulnerabilities were identified through collaboration between:
• Google Threat Analysis Group
• Apple Security Engineering and Architecture
The involvement of TAG typically signals advanced threat activity rather than opportunistic cybercrime.
Affected Platforms and Patched Versions
Apple released fixes across nearly all major product lines:
• iOS 26.2 and iPadOS 26.2
• iOS 18.7.3 and iPadOS 18.7.3
• macOS Tahoe 26.2
• tvOS 26.2
• watchOS 26.2
• visionOS 26.2
• Safari 26.2 for macOS Sonoma and Sequoia
Affected devices include iPhone 11 and later, supported iPads, Apple Watch Series 6 and later, Apple TV, and Vision Pro. If a device renders the WebKit engine, it was within the attack surface.
A Clear Pattern of Exploitation in 2025
With this update, Apple has now patched nine zero day vulnerabilities exploited in the wild during 2025. This trend highlights increasing attacker investment in browser engines and rendering pipelines to bypass sandboxing and silently reach high value targets.
WebKit continues to be a prime target because all browsers on iOS and iPadOS must use it.
What Organizations Should Do Now
• Enforce immediate updates for all managed Apple devices
• Audit MDM compliance and ensure devices cannot defer patches
• Treat delayed updates as an actual security risk
• Assume modern web based exploits can bypass app level controls
• Monitor for unusual network or browser behavior following updates
• For high risk users, remember that patch latency equals exposure
Conclusion
These WebKit zero days reinforce an important truth. Modern attacks increasingly begin inside the browser. Silent exploitation, zero user interaction and full device impact make these flaws extremely dangerous. Apple has shipped patches across its ecosystem. Organizations must respond quickly. Delaying browser and OS updates is no longer a low risk decision.
About COE Security
COE Security supports organizations in finance, healthcare, government, technology, consulting, real estate and SaaS. We help reduce risk through email security, threat detection, cloud security, secure development practices, compliance advisory, assessments and resilience planning.
Follow COE Security on LinkedIn for advanced insights on emerging threats.