On December 12, 2025, Apple released emergency security updates for iOS 18.2 (and equivalents across iPadOS, macOS, watchOS, tvOS, and visionOS) to address multiple vulnerabilities, including two zero-day flaws in the WebKit browser engine that have been actively exploited in highly sophisticated attacks targeting specific iPhone users. 

These exploits were chained together to potentially enable arbitrary code execution and memory corruption via maliciously crafted web content, often delivered through targeted phishing or compromised websites. Apple has confirmed that these issues affected devices running versions prior to iOS 18.2, and the attacks appear to be linked to state-sponsored or mercenary spyware operations, similar to past incidents involving tools like Pegasus.

Key Vulnerabilities Patched

The two exploited zero-days are:

•  CVE-2025-43529 (WebKit): A memory corruption issue where processing malicious web content could lead to unexpected behavior or code execution. Apple noted this was exploited in targeted attacks against individuals before the patch was available. Fixed via improved input validation.

•  CVE-2025-14174 (WebKit): Another memory corruption vulnerability triggered by malicious web content, also confirmed as exploited in the wild against specific targets. Addressed with enhanced checks in WebKit.

These join a pattern of WebKit exploits, with Apple patching nine zero-days in the engine alone during 2025. The updates also cover over 20 other flaws, including additional WebKit issues and kernel-level problems.

Nature of the Attacks

The exploits were described as “extremely sophisticated,” aimed at a limited number of high-value targets—likely journalists, activists, or dissidents—rather than mass attacks. This mirrors tactics used by government-backed hackers or firms like NSO Group and Paragon Solutions. Interestingly, one related Chrome zero-day (discovered collaboratively by Apple’s security team and Google’s Threat Analysis Group) was patched simultaneously, suggesting a broader campaign affecting multiple platforms.

No evidence indicates widespread compromise, but the zero-click nature (no user interaction required beyond visiting a site) makes them particularly dangerous for unpatched devices.

Affected Devices and Risks

•  iPhones: All models on iOS versions before 18.2.

•  Other Apple devices: iPads (iPadOS <18.2), Macs (macOS <15.2), Apple Watches, Apple TVs, and Vision Pro headsets.

•  Risks: Potential for spyware installation, data theft, surveillance, or full device takeover. Even if not directly targeted, browsing malicious sites could trigger the flaws.

Recommendations

Apple urges all users to update immediately—there’s no reliable workaround, and delaying exposes devices as exploit details spread. Here’s how:

1.  Go to Settings > General > Software Update on your iPhone/iPad.

2.  Ensure you’re connected to Wi-Fi and have sufficient battery/storage.

3.  Install iOS/iPadOS 18.2 (or the equivalent for your device).

For broader protection:

•  Enable Lockdown Mode if you’re a high-risk user (Settings > Privacy & Security > Lockdown Mode).

•  Avoid clicking suspicious links and use Safari’s fraud warnings.

•  Keep automatic updates enabled.

This incident underscores the ongoing cat-and-mouse game between Apple and advanced persistent threats, with WebKit remaining a prime target for iOS exploits. If you suspect compromise, contact Apple Support or consider a factory reset after updating.