Update your phone now.
Getty
We live in interesting times. Mercenary, commercial spyware is being developed faster than exploits can be patched. Both Apple and Google have warned that this is a game-changer for their smartphones. Both have issued warnings directly to targeted users. And both have now issued emergency updates for their billions of users.
Google kicked off Dangerous December with a warning that Android is under attack, with two critical vulnerabilities “under limited, targeted exploitation.” Then Google issued another emergency update for all Chrome users. So quickly was this fix rushed out to 3 billion users, it didn’t even have a CVE classification at the time.
ForbesSamsung Surprises Millions Of Users With Emergency Android UpdateBy Zak Doffman
But now it does. “Google is aware that an exploit for CVE-2025-14174 exists in the wild.” And that’s where it gets interesting. Because Apple has just issued an emergency update for all iPhone and iPad users as well. Two vulnerabilities. One of which is also CVE-2025-14174, discovered by “Apple and Google Threat Analysis Group.
The second Apple vulnerability is CVE-2025-43529, also attributed to Google’s Threat Analysis Group. Both Apple’s fixes affect the WebKit browser framework. Ali Mousavifar from Menlo Security explains that “the two active WebKit exploits in iOS 26.2 highlight a clear trend: browser engines are a primary target for attackers. Since WebKit powers every browser on an iPhone, this creates a wide exposure.”
Put the pieces together and you have a wide exposure across all smartphones and the world’s most popular browsers, Chrome, Safari and Microsoft Edge — also exposed to CVE-2025-14174, which Microsoft says, “has been reported by the Chromium team as having an exploit in the wild.” There are no safe harbors.
America’s cyber defense agency has already issued its own CVE-2025-14174 update mandate for federal staff. Update Chrome and all other Chromium browsers by Jan. 2 or “discontinue use of the product.” The vulnerability, CISA says, could enable “a remote attacker to perform out of bounds memory access via a crafted HTML page.”
ForbesNew 24-Hour Warning For Android Users—‘Your Files Will Be Permanently Destroyed’By Zak Doffman
Apple’s iPhone and iPad emergency update has been released. Chrome’s has been released. Android’s has been released, albeit you need to await your own manufacturer update to hit your device. Samsung, Android’s leading OEM, is deploying now.
Do not wait. Update your smartphone soon as you can. “Even though this only appears to be linked to a small number of targeted attacks,” James Maude from BeyondTrust warns, “it will quickly become a must have exploit for a range of threat actors.”