Zero-Day Exploits Force Apple Patch Update

Beijing,,China,-,July,21,,2023:,Apple,Logo,Is,Seen

Sophisticated nation-state hackers have successfully targeted high-profile iOS users by exploiting two WebKit zero-day vulnerabilities (CVE-2025-43529 and CVE-2025-41474). Apple has released urgent patches for iOS, iPadOS, macOS, and Safari to address the use-after-free and memory corruption flaws, which were actively being used in targeted attacks. The severity of the exploit is underscored by CISA’s mandate for federal agencies to apply the patch by January 5, 2026. This incident marks Apple’s ninth zero-day fix in 2025, raising critical security concerns for individuals who rely on Apple’s devices for secure communication.

Story Snapshot

Apple patched two WebKit zero-days—CVE-2025-43529 and CVE-2025-41474—actively exploited in targeted attacks against specific high-profile individuals.
Patches released December 12, 2025, for iOS 26.2, iPadOS 26.2, iOS 18.7.3, macOS Tahoe 26.2, and Safari 26.2, addressing use-after-free and memory corruption flaws.
CISA mandates federal patches by January 5, 2026, after adding CVE-2025-43529 to its Known Exploited Vulnerabilities Catalog.
One flaw crossed over from Google’s Chrome patches, marking Apple’s ninth zero-day fix in 2025 amid rising APT threats.

Exploits Target High-Profile Users

Apple detected active exploitation of CVE-2025-43529, a use-after-free vulnerability in WebKit, before iOS 26. Attackers used malicious web content to trigger arbitrary code execution without user interaction. CVE-2025-41474, a memory corruption issue affecting iOS before version 16, echoed a flaw Google patched first in Chrome. These sophisticated attacks focused on specific high-profile iOS users, likely journalists or activists pursued by advanced persistent threats. Apple released patches on December 12, 2025, urging immediate updates to protect individual liberty and digital privacy.

Apple patches two zero-day flaws used in targeted attacks https://t.co/rTPKWLzHwJ pic.twitter.com/btWyx02K9W

— New York Post (@nypost) December 28, 2025

Patches Roll Out Across Platforms

Apple issued security updates for multiple platforms on December 12, 2025. iOS 26.2 and iPadOS 26.2 provide full WebKit fixes for newer devices. Older models like iPhone XS and XR receive iOS 18.7.3 and iPadOS 18.7.3. macOS Tahoe 26.2 and Safari 26.2 address the flaws through improved memory management and input validation. Unpatched systems remain exposed to remote code execution via booby-trapped websites. CISA added CVE-2025-43529 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by January 5, 2026.

WebKit’s Recurring Weakness Exposed

WebKit, Safari’s rendering engine powering iOS and macOS browsing, repeatedly attracts zero-day attacks due to its handling of untrusted web content. This incident marks Apple’s ninth such patch in 2025, following clusters like CVE-2025-24085 and CVE-2025-43200. State-sponsored spyware, such as Pegasus, has long targeted iOS for espionage against high-value individuals. The crossover from Chrome’s CVE-2025-41474 highlights shared risks in browser engines, despite Apple’s closed ecosystem. Conservative users prioritizing secure tools must stay vigilant against these erosions of personal digital sovereignty.

Professionals note WebKit’s complexity enables stealthy exploits favoring targeted strikes over mass campaigns. Qualys ThreatPROTECT warns of arbitrary code execution risks, pressing for patches before CISA deadlines. SecurityWeek points to exploit market reuse across engines like Chromium and WebKit forks.

Broad Implications for Security

Unpatched users face short-term risks of memory corruption and code execution from malicious sites, though attacks limit to high-profile targets. Long-term, frequent patches erode trust in Safari and pressure Apple to bolster bounties and sandboxing. Enterprises and governments bear deployment costs, while security firms like Qualys gain from cleanup demands. iOS remains a prime APT focus over Android, underscoring WebKit-Chromium convergence dangers. President Trump’s administration emphasizes robust cybersecurity to counter foreign threats, aligning with CISA’s protective mandate for critical infrastructure.

Affected parties include iOS users on versions below 26 or 18.7.3, with federal systems under deadline pressure. No public details emerge on attacker identities or full victim lists, preserving operational security.

Watch the report: Apple Emergency Update: Critical Zero-Day Flaws Patched in iOS, macOS & More!