Confirm iPhone attacks.
NurPhoto via Getty Images
Apple just warned that two iPhone vulnerabilities “may have been exploited in a highly sophisticated attack against specific targeted individuals.” Next up is this month’s spyware warnings, issued to iPhone users worldwide.
Both vulnerabilities have now been patched in iOS 26.2, released today. But while the update message now applies to users already running iOS 26, there is a more serious warning for those who have yet to upgrade. These attacks targeted people “on versions of iOS prior to iOS 26.” And even though iOS 18 is still being patched, it’s not worth the risk. Apple wants you to upgrade. You should do just that.
Apple revealed that the two vulnerabilities are linked. CVE-2025-14174 and CVE-2025-43529 were “issued in response to this report”. One is attributed to Google’s threat analysis team, the other to Google’s threat hunters and Apple itself.
Both affect WebKit. One, Apple says, risks a browser that “processes maliciously crafted web content (that) can lead to arbitrary code execution.” While the other “can lead to memory destruction.” This has the characteristics of a chained spyware attack.
The two exploited vulnerabilities are among the eight WebKit threats fixed in this release. Others are different types of memory manipulation, which opens the door to destabilizing an application or operating system, potentially allowing other types of exploits to be used. Again, just more reasons to ensure you install the update as soon as it becomes available.
We’ve seen WebKit zero day attacks before. It is one primary goal for developers who manufacture and market spyware. These latest vulnerabilities can be added to the “17 zero-day bugs in WebKit that attackers have exploited in the wild” from 2023. And while these target very specific individuals, vulnerabilities have a nasty habit of getting into the wild and spreading further down the food chain.
There is an additional risk to users beyond the two exploited vulnerabilities now that the iOS 26 fixes are public. For example, “an app may have access to sensitive user data” in Messages, or “password fields may be inadvertently exposed when remotely controlling a device via FaceTime.”
In early December, Google also warned that its operating system was under attack. Again they were two vulnerabilities being exploited in the wild to target Android users. An emergency update was rushed within hours and Pixels were fixed within days.
This isn’t the first time we’ve seen Android and iPhone attacks revealed and addressed in the same month. Both operating systems are under attack by the same mercenary spyware industry, so it should come as no surprise. Both Apple and Google have done a good job of pushing fixes to everyone, everywhere. The caveat on the Android side is that this only works for Pixels. Other OEMs – Samsung for example – cannot do the same.
The US cyber defense agency issued its own warning following the release of Android. We can almost certainly expect the same for Apple users by early next week.
