CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Apple Patches Two Zero-Day Flaws in WebKit Exploited in Targeted Attacks

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Apple has released emergency updates to address two zero-day vulnerabilities (CVE-2025-43529 and CVE-2025-14174) in WebKit, which were exploited in sophisticated attacks targeting specific individuals. The flaws, a use-after-free and a memory corruption issue, can lead to remote code execution and memory corruption when processing maliciously crafted web content. The affected devices include various iPhone and iPad models running versions of iOS before iOS 26. Apple and Google's Threat Analysis Group discovered the vulnerabilities, and Google has also patched the same flaw (CVE-2025-14174) in Google Chrome, indicating coordinated disclosure. While the attacks were highly targeted, users are advised to update their devices promptly to mitigate ongoing risks. With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025.

Timeline

  1. 13.12.2025 01:23 2 articles · 1d ago

    Apple Patches Two Zero-Day Flaws in WebKit Exploited in Targeted Attacks

    Apple has released emergency updates to address two zero-day vulnerabilities (CVE-2025-43529 and CVE-2025-14174) in WebKit, which were exploited in sophisticated attacks targeting specific individuals. The flaws, a use-after-free and a memory corruption issue, can lead to remote code execution and memory corruption when processing maliciously crafted web content. The affected devices include various iPhone and iPad models running versions of iOS before iOS 26. Apple and Google's Threat Analysis Group discovered the vulnerabilities, and Google has also patched the same flaw (CVE-2025-14174) in Google Chrome, indicating coordinated disclosure. While the attacks were highly targeted, users are advised to update their devices promptly to mitigate ongoing risks. With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Eighth Chrome Zero-Day Vulnerability Patched in 2025

Google has released an emergency update to fix a high-severity zero-day vulnerability (466192044) in Chrome, marking the eighth such flaw exploited in attacks in 2025. The vulnerability, a buffer overflow in the ANGLE's Metal renderer, affects Chrome versions for Windows, macOS, and Linux. Google has not disclosed further details, including the CVE ID, as the issue remains under coordination. The flaw could lead to memory corruption, crashes, sensitive information leaks, and arbitrary code execution. Users are advised to update their browsers to versions 143.0.7499.109 for Windows and Linux, and 143.0.7499.110 for macOS. This update also addresses two additional medium-severity vulnerabilities (CVE-2025-14372 and CVE-2025-14373). Additionally, Google has released patches for three new Chrome zero-day vulnerabilities, including a high-severity one for which an exploit is accessible in the wild. The high-severity zero-day is referred to only by Google’s internal tracker ID, 466192044, with no CVE attributed at this stage. The status of the vulnerability is marked as 'Under coordination.' Access to the details of a vulnerability may be kept restricted until a majority of users are updated with a fix.

Open in new tab

Apple Spyware Notifications Sent to Targeted Users in 2025

Apple has sent notifications to multiple users warning them of targeted spyware attacks. The notifications were issued in March, April, June, and September 2025. The spyware attacks are sophisticated and exploit zero-day vulnerabilities in Apple products. The notifications indicate that at least one device linked to the iCloud account was targeted and potentially compromised. The time between the compromise attempt and the receipt of the notification is variable, often several months. The spyware programs involved include Pegasus, Predator, Graphite, and Triangulation. The notifications coincide with the disclosure of zero-day vulnerabilities CVE-2025-43300 in August and CVE-2025-24201 in March. Apple's Memory Integrity Enforcement (MIE) was unveiled to enhance memory safety and defend against spyware attacks.

Open in new tab

WhatsApp Zero-Day Exploited in Targeted Attacks

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against specific users, chained with a separate iOS flaw (CVE-2025-43300). The flaw allowed unauthorized users to trigger content processing from arbitrary URLs on targeted devices. Apple issued threat notifications to users targeted in mercenary spyware attacks, which included individuals based on their status or function, such as journalists, lawyers, activists, politicians, and senior officials. The attacks highlight the risks of chaining multiple vulnerabilities to compromise targets, emphasizing the need for comprehensive security measures. WhatsApp patched the issue and notified affected users. Apple has sent threat notifications multiple times a year since 2021, alerting users in over 150 countries, including a fourth campaign in France in 2025. The attacks began with the exploitation of the WhatsApp zero-day vulnerability, which was chained with an iOS flaw in sophisticated attacks. Apple has been issuing threat notifications to users targeted in these attacks, advising them to enable Lockdown Mode and seek emergency security assistance. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities, and the number of U.S. investors in spyware and surveillance technologies has increased significantly.

Open in new tab

Image I/O Framework Zero-Day Exploited in Targeted Attacks

The zero-day vulnerability CVE-2025-43300 in Apple's Image I/O framework was exploited in targeted attacks against specific individuals. The flaw, an out-of-bounds write issue, was used in combination with a WhatsApp zero-day flaw (CVE-2025-55177) in sophisticated attacks potentially involving nation-state actors or spyware activity. The vulnerability affects multiple iOS, iPadOS, and macOS versions, as well as various iPhone, iPad, and Mac models. Apple has backported fixes for CVE-2025-43300 to older versions, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. Users are advised to update promptly to mitigate potential ongoing attacks. The flaw was discovered by Apple security researchers and impacts both older and newer devices. This is the seventh zero-day exploited in the wild since the start of the year. The flaw was addressed with improved bounds checking. Apple has patched a total of seven zero-day vulnerabilities exploited in the wild since the start of the year. The vulnerability was exploited in targeted attacks against specific individuals. Affected devices include iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPhone 8, iPhone 8 Plus, iPhone X, iPad Air 2, iPad mini (4th generation), iPad 5th generation, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st generation, iPod touch (7th generation), and Macs running macOS Sequoia, Sonoma, and Ventura. WhatsApp has also addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with the Apple flaw in targeted zero-day attacks. The WhatsApp vulnerability, CVE-2025-55177, is an insufficient authorization flaw in linked device synchronization messages. The flaw affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78. WhatsApp notified less than 200 users that they were targeted in an advanced spyware campaign over the last 90 days.

Open in new tab