editorially independent. We may make money when you click on links
to our partners.
Learn More
Apple has confirmed that two previously unknown zero-day vulnerabilities were actively exploited against iPhone users, prompting an urgent security update across iOS and iPadOS.
The flaws, which impact Apple’s WebKit browser engine, were used in sophisticated campaigns aimed at specific individuals.
One of the vulnerabilities, CVE-2025-43529, “… may lead to arbitrary code execution,” said Apple in its advisory.
WebKit Exploits as an Initial Access Vector
The most severe issue, tracked as CVE-2025-43529, is a use-after-free vulnerability in WebKit that allows attackers to achieve arbitrary code execution when a device renders specially crafted web content.
Use-after-free flaws occur when memory is incorrectly reused after it has been released, enabling attackers to manipulate stale pointers and execute attacker-controlled code.
In the context of WebKit, this means a malicious webpage can corrupt browser memory during normal page rendering, without requiring explicit user interaction beyond visiting the page.
A second vulnerability, CVE-2025-14174, is a related memory corruption flaw stemming from insufficient input validation within WebKit’s processing logic.
While Apple has not published detailed exploit mechanics, the close timing and shared attack surface strongly suggest the two vulnerabilities were chained together.
In advanced browser exploitation, attackers often pair memory corruption bugs with use-after-free conditions to gain more reliable control over memory layout and execution flow, increasing exploit stability across devices.
Because WebKit serves as the underlying browser engine not only for Safari but also for embedded web views across iOS and iPadOS, successful exploitation provides attackers with a highly dependable initial access vector.
Any application that renders web content using WebKit — whether a browser, messaging app, or in-app web view — can potentially expose users to exploitation simply by loading malicious content.
Use-after-free and memory corruption vulnerabilities are especially valuable to advanced threat actors because they can be combined with additional exploit primitives to bypass modern platform protections such as sandboxing, pointer authentication, and memory isolation.
In this case, malicious web content could trigger unsafe memory handling within WebKit, enabling attackers to execute code inside the browser sandbox.
From there, follow-on vulnerabilities — such as kernel-level privilege escalation flaws — can be chained to escape the sandbox and gain deeper control over the operating system.
Apple confirmed that both vulnerabilities were actively exploited in the wild prior to the release of iOS 26, indicating they were likely maintained as private zero-day exploits rather than publicly disclosed proof-of-concepts.
This behavior aligns with a broader trend in which sophisticated threat actors reserve high-value mobile zero-days for targeted espionage and surveillance operations, rather than deploying them in large-scale, opportunistic attacks that risk early detection and patching.
How to Reduce Mobile Risk
A layered, defense-in-depth approach helps organizations reduce both exposure and blast radius.
- Enforce rapid patching of iOS and iPadOS devices through MDM.
- Monitor managed devices for anomalous Safari and WebKit behavior, including repeated crashes, unusual browsing activity, or instability that could indicate attempted exploitation.
- Restrict web content exposure on mobile devices by applying managed Safari policies, limiting unmanaged web views, and blocking newly registered or known malicious domains at the network level.
- Reduce post-exploitation impact by enforcing least-privilege access for mobile users, requiring device compliance checks for sensitive applications, and segmenting access to high-value systems.
- Apply enhanced protections for high-risk roles by using stricter browsing controls, hardened device configurations, and limiting access to content-heavy or third-party apps that rely heavily on embedded web views.
- Prepare for future mobile zero-days by testing incident response plans, enabling rapid device isolation or wipe capabilities, and correlating mobile telemetry with identity and access activity.
When applied together, these controls improve mobile security without adding unnecessary operational complexity.
The Rise of Targeted Mobile Exploitation
This incident highlights a broader shift in the threat landscape: mobile platforms are no longer secondary targets, but primary entry points for advanced attacks.
Browser engines like WebKit continue to be high-value attack surfaces, and zero-day exploits are increasingly reserved for targeted surveillance and espionage operations rather than large-scale, opportunistic malware campaigns.
As mobile devices become trusted access points rather than peripheral endpoints, these shifts reinforce why security models like zero-trust — built on continuous verification and minimal implicit trust — are increasingly central to modern defense strategies.
