top of page
perceptive_background_267k.jpg

Apple fixes two zero-day flaws exploited in 'sophisticated' attacks

Published:

12 December 2025 at 23:23:25

Alert date:

13 December 2025 at 00:01:07

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Apple released emergency security updates to address two zero-day vulnerabilities that were actively exploited in sophisticated attacks targeting specific individuals. The vulnerabilities were being exploited in the wild before patches were available. Apple acknowledged the active exploitation in their security advisory. The attacks were described as extremely sophisticated and targeted specific users. Emergency patches were issued across multiple Apple platforms to address the security flaws.

Technical details

CVE-2025-43529 is a WebKit use-after-free remote code execution flaw that can be exploited by processing maliciously crafted web content. CVE-2025-14174 is a WebKit memory corruption flaw that could lead to memory corruption. Both flaws were exploited in an extremely sophisticated attack targeting specific individuals. The flaws affect WebKit, which Google Chrome uses on iOS, making the activity consistent with highly targeted spyware attacks. Google also fixed the same CVE-2025-14174 in Chrome as an out-of-bounds memory access in ANGLE, indicating coordinated disclosure between Apple and Google.

Mitigation steps:

Users are strongly advised to install the latest security updates promptly to reduce the risk of ongoing exploitation. Apple has fixed the flaws in OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2.

Affected products:

iPhone 11 and later
iPad Pro 12.9-inch (3rd generation and later)
iPad Pro 11-inch (1st generation and later)
iPad Air (3rd generation and later)
iPad (8th generation and later)
iPad mini (5th generation and later)
iOS versions before iOS 26
iOS 18.7.3 and iPadOS 18.7.3
OS 26.2 and iPadOS 26.2
macOS Tahoe 26.2
tvOS 26.2
watchOS 26.2
visionOS 26.2
Safari 26.2
Google Chrome
WebKit

Related links:

https://support.apple.com/en-us/125884
https://web.archive.org/web/20251211173722/https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
https://www.bleepingcomputer.com/news/security/apple-fixes-this-years-first-actively-exploited-zero-day-bug/
https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-exploited-in-extremely-sophisticated-attacks/
https://www.bleepingcomputer.com/news/apple/apple-fixes-webkit-zero-day-exploited-in-extremely-sophisticated-attacks/
https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-days-exploited-in-targeted-iphone-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-43300

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page