Hackers have exploited two critical zero-day security vulnerabilities in Apple’s operating system in extremely sophisticated cyber attacks targeting specific individuals.
CVE-2025-43529 is a free-after-user vulnerability in the WebKit component that could result in remote code execution (RCE) by executing maliciously crafted content.
Similarly, CVE-2025-14174 is a high-severity (CVSS 8.8) memory corruption flaw in WebKit, enabling an attacker to execute maliciously crafted content. The zero-days affect Apple devices running operating systems before iOS 26.
Apple zero-day security vulnerabilities exploited in the wild.
The Cupertino-based company believes that hackers exploited CVE-2025-43529 zero-day vulnerability, potentially chained with CVE-2025-14174, to target specific individuals in the wild.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” it stated.
The zero-day vulnerabilities affect Apple devices after iPhone 11, 3rd generation and later versions of iPad Pro 12.9-inch, 1st generation of iPad Pro 11-inch and later versions, iPad Air 8th generation and later, and 5th generation iPad mini and later.
Meanwhile, Apple has released security updates for the twin zero-day security vulnerabilities CVE-2025-14174 and CVE-2025-43529 and urged users to update their software or upgrade their devices.
Similarly, internet search giant Google, which participated in discovering the zero-day security vulnerabilities on Apple’s WebKit, which it uses in Chrome for iOS, has also released security updates for the world’s most popular browser.
Apple releases security updates for numerous exploited vulnerabilities.
Apple has released over half a dozen security updates for numerous vulnerabilities, some of which have been exploited in the wild in “extremely sophisticated” cyber attacks targeting specific individuals.
In January, Cupertino released security updates for the critical (CVSS V3 10.0) privilege escalation security flaw CVE-2025-24085 on iOS/iPadOS, macOS, tvOS, watchOS, and visionOS.
It also fixed CVE-2025-24200, a flaw that could enable a threat actor to disable USB Restricted Mode on a locked device. The flaw could enable forensic software, such as Graykey and Cellebrite, to bypass security controls and access data on a locked device.
While most iPhone users are unlikely victims, authoritarian governments could exploit the vulnerability to target dissidents, civil society, journalists, and human rights activists.
In March 2025, Apple patched a critical vulnerability with a perfect CVSS score of 10.0 CVE-2025-24201 in its WebKit implementation. The flaw could enable a threat actor to escape Apple’s Web Content sandbox and execute maliciously crafted content. The out-of-bounds write issue was also exploited in extremely sophisticated cyber attacks targeting specific individuals.
Two more critical (CVSS 9.8) security vulnerabilities in iOS, macOS Sequoia, iPadOS, and VisionOS, CVE-2025-31200 and CVE-2025-31201, also received security fixes in April 2025.
Meanwhile, Apple’s WebKit has previously been exploited in extremely sophisticated cyber attacks involving the Pegasus surveillance malware.
So far, Apple has released very few details regarding the profile and the number of individuals affected in those “extremely sophisticated” cyber attacks. However, nation-state actors are usually behind the exploitation of iOS zero-day security vulnerabilities for surveillance and cyber espionage.
Leave a Reply