Updated on Dec. 13 with additional analysis of the new attack warning.
Apple has just warned that two iPhone vulnerabilities “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” It follows this month’s spyware warnings, issued to iPhone users around the world.
Both vulnerabilities have now been fixed in iOS 26.2, released today. But while the update now message applies to users already running iOS 26, there’s a more serious warning for those yet to upgrade. These attacks targeted individuals “on versions of iOS before iOS 26.” And even though iOS 18 is still being patched, it’s not worth the risk.
Apple wants you to upgrade. You should do exactly that.Apple has disclosed that the two vulnerabilities are linked. CVE-2025-14174 and CVE-2025-43529 were both “issued in response to this report.” One is attributed to Google’s Threat Analysis Group, the other to Google’s threat hunters and Apple itself.
And both affect WebKit. One, Apple says, risks a browser “processing maliciously crafted web content (that) may lead to arbitrary code execution.” While the other “may lead to memory corruption.” This has the hallmarks of a chained spyware attack.
According to Ali Mousavifar from Menlo Security, “the two active WebKit exploits in iOS 26.2 highlight a clear trend: browser engines are a primary target for attackers. We should expect these types of attacks to continue as the browser becomes the center of modern work. Relying solely on patching is a reactive game.”
“In all probability, these vulnerabilities have been chained to achieve exploitation,” Mayuresh Dani from Qualys told me. “WebKit has a well-documented history of serving as the primary entry point for sophisticated spyware and surveillance campaigns.” That includes “now infamous monitoring spywares such as Pegasus, which have consistently relied on WebKit vulnerabilities as its primary attack vector.”
Dani says iPhone users must “follow operational security practices, such as updating to iOS 26.2 immediately, using iCloud Private Relay to mask their IP and encrypt DNS queries (and) also as a practice, users should enable private browsing and disable JavaScript temporarily while interacting with untrusted sites.”
The two exploited vulnerabilities are amongst eight WebKit threats patched in this release. Others are various types of memory mishandling, which opens the door to destabilizing an app or the OS, potentially allowing other types of exploits to be used. Again, just more reasons to ensure you install the update as soon as it shows available.
We have seen WebKit zero-day attacks before. It’s a prime target for spyware developers building and marketing exploits. These latest vulnerabilities can be added to the “17 zero-day bugs in WebKit that attackers have exploited in the wild” since 2023. And while these are targeted at very specific individuals, vulnerabilities have a nasty habit of getting into the wild and spreading further down the food chain.
“Users should urgently update all their impacted Apple devices,” James Maude from BeyondTrust warns. “Even though this only appears to be linked to a small number of targeted attacks it will quickly become a must have exploit for a range of threat actors.”
There is a further risk to users beyond the two exploited vulnerabilities, now that iOS 26’s fixes are in the public domain. For example, “an app may be able to access sensitive user data” in Messages or “password fields may be unintentionally revealed when remotely controlling a device over FaceTime.”
At the beginning of December, Google also warned that its OS was under attack. Again it was two vulnerabilities that were being exploited in the wild to target Android users. It rushed out an emergency update within hours and Pixels were patched within days.
Dani explains “the two critical WebKit vulnerabilities are memory safety violations that Apple confirms were weaponized in real-world targeted attacks against specific individuals on pre-iOS 26 devices. CVE-2025-43529 allows threat actors a direct code execution capability, while CVE-2025-14174 provides the much needed sandbox escape and privilege escalation capabilities which makes it devastating.”
The other notable vulnerability beyond WebKit, per Cyber Press, is “ a critical Kernel issue (CVE-2025-46285) in which a malicious app could gain root privileges due to an integer overflow bug. The fix involves adopting 64-bit timestamps to prevent privilege escalation exploits. Another serious flaw in the App Store (CVE-2025-46288) could have allowed apps to access sensitive payment tokens, exposing financial data; this issue is now fixed with stricter permission controls.”
Maude warns “WebKit is the underpinning for every iOS browser and many apps as Apple requires it to be used for apps in their store. Every browser uses the same WebKit rendering engine layering additional functionality layer on top . While this allows them to control the ecosystem, it also creates an inherent point of failure. If Webkit is vulnerable your entire device could be vulnerable when viewing content online.”
This isn’t the first time we’ve seen Android and iPhone attacks disclosed and addressed the same month. Both operating systems are being attacked by the same mercenary spyware industry, so it should be no surprise. Both Apple and Google have done a good job in rushing out fixes to everyone, everywhere. The caveat on the Android side is that this only works for Pixels. Other OEMs — Samsung for example — cannot do the same.
America’s cyber defense agency issued its own warning following the Android release. We can almost certainly expect the same for Apple users by the beginning of next week.
“There’s no workaround or user behavior that meaningfully mitigates this risk,” says Keeper Security’s Darren Guccione. Installing the update “is the only effective defense. Once patches are public, the exposure window widens for anyone who delays updating.”
