Confirmation of iPhone attacks.
NurPhoto via Getty Images
Apple has just warned that two iPhone vulnerabilities “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” It follows this month’s spyware warnings, issued to iPhone users around the world.
Both vulnerabilities have now been fixed in iOS 26.2, released today. But while the update now message applies to users already running iOS 26, there’s a more serious warning for those yet to upgrade. These attacks targeted individuals “on versions of iOS before iOS 26.” And even though iOS 18 is still being patched, it’s not worth the risk. Apple wants you to upgrade. You should do exactly that.
Forbes‘It May Be Worse’—No Fix For New Google Chrome AttacksBy Zak Doffman
Apple has disclosed that the two vulnerabilities are linked. CVE-2025-14174 and CVE-2025-43529 were both “issued in response to this report.” One is attributed to Google’s Threat Analysis Group, the other to Google’s threat hunters and Apple itself.
And both affect WebKit. One, Apple says, risks a browser “processing maliciously crafted web content (that) may lead to arbitrary code execution.” While the other “may lead to memory corruption.” This has the hallmarks of a chained spyware attack.
“In all probability, these vulnerabilities have been chained to achieve exploitation,” Mayuresh Dani from Qualys told me. “WebKit has a well-documented history of serving as the primary entry point for sophisticated spyware and surveillance campaigns.” That includes “now infamous monitoring spywares such as Pegasus, which have consistently relied on WebKit vulnerabilities as its primary attack vector.”
The two exploited vulnerabilities are amongst eight WebKit threats patched in this release. Others are various types of memory mishandling, which opens the door to destabilizing an app or the OS, potentially allowing other types of exploits to be used. Again, just more reasons to ensure you install the update as soon as it shows available.
We have seen WebKit zero-day attacks before. It’s a prime target for spyware developers building and marketing exploits. These latest vulnerabilities can be added to the “17 zero-day bugs in WebKit that attackers have exploited in the wild” since 2023. And while these are targeted at very specific individuals, vulnerabilities have a nasty habit of getting into the wild and spreading further down the food chain.
“Users should urgently update all their impacted Apple devices,” James Maude from BeyondTrust warns. “Even though this only appears to be linked to a small number of targeted attacks it will quickly become a must have exploit for a range of threat actors.”
There is a further risk to users beyond the two exploited vulnerabilities, now that iOS 26’s fixes are in the public domain. For example, “an app may be able to access sensitive user data” in Messages or “password fields may be unintentionally revealed when remotely controlling a device over FaceTime.”
At the beginning of December, Google also warned that its OS was under attack. Again it was two vulnerabilities that were being exploited in the wild to target Android users. It rushed out an emergency update within hours and Pixels were patched within days.
ForbesSamsung Surprises Millions Of Users With Emergency Android UpdateBy Zak Doffman
This isn’t the first time we’ve seen Android and iPhone attacks disclosed and addressed the same month. Both operating systems are being attacked by the same mercenary spyware industry, so it should be no surprise. Both Apple and Google have done a good job in rushing out fixes to everyone, everywhere. The caveat on the Android side is that this only works for Pixels. Other OEMs — Samsung for example — cannot do the same.
America’s cyber defense agency issued its own warning following the Android release. We can almost certainly expect the same for Apple users by the beginning of next week.
“There’s no workaround or user behavior that meaningfully mitigates this risk,” says Keeper Security’s Darren Guccione. Installing the update “is the only effective defense. Once patches are public, the exposure window widens for anyone who delays updating.”