Apple Fixes WebKit Zero-Days Exploited in 'Extremely Sophisticated' Attacks

Apple has issued emergency security updates for Safari 26.2 and iOS 18.7.3 to remediate two critical WebKit vulnerabilities (CVE-2025-14174, CVE-2025-43529) cu…

Apple has deployed critical security updates to address two zero-day vulnerabilities in the WebKit engine, confirming that both have been exploited in targeted remote attacks. According to official documentation, the company is aware of reports stating that "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals." Simultaneously, the Hong Kong Computer Emergency Response Team (HKCERT) has confirmed that "CVE-2025-14174 is being exploited in the wild," elevating the priority for all macOS, iOS, and iPadOS users.

The fixes are bundled in Safari 26.2 for macOS Sonoma and Sequoia, and in the iOS 18.7.3 and iPadOS 18.7.3 releases. These patches close flaws that allow for remote code execution (RCE) via the rendering of malicious web content. The nature of these attacks—described as "extremely sophisticated"—suggests the use of advanced exploits against high-value targets, making immediate updates a necessity to prevent data compromise and unauthorized system access.

Key Takeaways

Vulnerabilities CVE-2025-14174 and CVE-2025-43529 enable remote code execution (RCE) via WebKit.
HKCERT has rated the risk level as Extremely High due to active exploitation in the wild.
Patches are now available in Safari 26.2 for macOS and iOS/iPadOS 18.7.3 for mobile devices.
While Apple references attacks against versions prior to "iOS 26," current protection is guaranteed by iOS 18.7.3.

Technical Details: Memory Corruption and ANGLE Vulnerabilities

The two vulnerabilities remediated by Apple reside at the core of the WebKit rendering engine, the component responsible for displaying web content in Safari and numerous third-party applications. The first flaw, identified as CVE-2025-14174, is an out-of-bounds memory access issue located in the ANGLE component. This defect allows an attacker to induce the system to read or write data beyond the boundaries of allocated memory, potentially leading to unauthorized code execution.

The second vulnerability, CVE-2025-43529, involves a generic memory corruption issue within the WebKit engine. While Apple's advisory maintains a degree of confidentiality regarding specific exploit details, the classification confirms that processing specially crafted web content can compromise browser stability and allow an attacker to seize control of rendering processes. In both cases, the attack vector is remote and requires minimal user interaction beyond visiting a compromised page.

The absence of granular technical details from the vendor is standard practice to prevent mass adoption of the exploits before the majority of systems are patched. However, the confirmation of sophisticated attacks suggests these exploits were developed by well-resourced threat actors. The criticality is amplified because WebKit acts as the primary interface between the user and the web, making safe browsing impossible without these latest updates.

HKCERT stated officially: "Hence, the risk level is rated as Extremely High Risk," confirming that CVE-2025-14174 is being actively exploited in the wild.

Version Clarification: The "iOS 26" vs. iOS 18.7.3 Discrepancy

A point of potential confusion for users and IT managers stems from Apple's support documentation. In the official advisory, the company states that attacks were detected on "versions of iOS before iOS 26." This numerical reference should not be misinterpreted; it appears to be an internal nomenclature or a reference to future WebKit engine versions and does not reflect the current public numbering of the mobile operating system.

It is essential to clarify that currently vulnerable devices are those running versions prior to iOS 18.7.3 and iPadOS 18.7.3. The corrective patch for CVE-2025-14174 and CVE-2025-43529 is contained specifically within the iOS 18.7.3 release. Users should ignore the "iOS 26" reference as a target for immediate updates and instead proceed with installing version 18.7.3 to secure their iPhones and iPads against active threats.

This terminological discrepancy highlights the importance of following technical release notes rather than descriptive bulletin references alone. For mobile devices, the only way to mitigate RCE risk is a full system firmware update, as WebKit is deeply integrated into the iOS kernel and system libraries—unlike macOS, where Safari can often be updated as a standalone application.

Attack Analysis: Sophisticated Threats Against Targeted Individuals

Apple described the detected attacks as "extremely sophisticated," a term typically associated in cybersecurity with cyber-espionage operations or campaigns conducted by Advanced Persistent Threat (APT) groups. These campaigns do not target the general public indiscriminately; instead, they focus on specific individuals, such as dissidents, journalists, government officials, or corporate executives, to exfiltrate sensitive data or monitor activities via device compromise.

The confirmation of in-the-wild exploitation for CVE-2025-14174 indicates that the exploit is functional and already in the hands of malicious actors. While the number of confirmed victims has not been disclosed, the risk remains high for anyone using unpatched devices. Once a vulnerability becomes public knowledge, less sophisticated criminal groups often attempt to replicate the exploit for broader attacks.

Furthermore, the lack of public Indicators of Compromise (IoCs) from Apple makes it difficult for enterprise security teams to verify if their systems have already been breached. In this scenario, the defense strategy must be proactive: neutralizing the vulnerability through patching is the only guaranteed measure to break the attack chain before persistence is established on a victim's device.

Required Actions and Remediation

Given the extremely high risk rating and confirmation of active attacks, it is mandatory to update all Apple systems immediately. Organizations and private users should follow these operational steps to neutralize the zero-day attack vectors.

Update mobile devices to iOS 18.7.3 and iPadOS 18.7.3 immediately. This is the only effective protection for iPhone and iPad, as it resolves flaws within the system's WebKit framework.
Install Safari 26.2 on macOS Sonoma and Sequoia. Mac users should check for updates in the "Software Update" panel. Safari 26.2 contains the necessary fixes for CVE-2025-14174 and CVE-2025-43529.
Verify versions via MDM. Enterprise system administrators should use Mobile Device Management consoles to force the installation of iOS 18.7.3 across managed fleets, closing the exposure window for employees.
Restart systems post-installation. Although some Safari updates on macOS may not strictly require it, a reboot ensures that all background WebKit processes are reloaded using the protected versions.

Neglecting these updates leaves devices exposed to an attack that requires only visiting a website to compromise the entire system. Response speed is the critical factor in countering advanced exploits already operating in the field.

Frequently Asked Questions

What does it mean for an attack to be "extremely sophisticated"?

This indicates that the exploit is technically complex and likely expensive to develop. Often, such attacks require no user interaction (zero-click) or use multiple vulnerability chains to bypass Apple's security layers. They are typically reserved for high-value targets rather than common malware distribution.

Is updating just the Safari app on iPhone sufficient?

No. On iOS and iPadOS, Safari is only one of many programs using WebKit. The rendering engine is embedded in the operating system and is used by almost every app that displays web content (such as email clients or social networks). Therefore, Apple does not release a standalone Safari update for mobile; it requires a full OS update to iOS 18.7.3.

Is there a difference between the Safari version on macOS and iOS?

From a security perspective, CVE-2025-14174 and CVE-2025-43529 affect code shared across both platforms. However, on macOS, Safari can be updated independently (version 26.2), while on iOS, protection is tied to the firmware version (18.7.3). In both cases, the technical impact—remote code execution—remains the same.

The information in this article has been verified based on official advisories from Apple, HKCERT, and CISecurity.

Information verified against cited sources and updated at the time of publication.