Apple Rushes Out Emergency iOS Updates After Zero-Day Exploits Hit Targeted Users

Apple has pushed out a rare round of urgent security updates after confirming that two previously unknown flaws were actively exploited in what the company describes as an extremely sophisticated campaign aimed at specific individuals. The vulnerabilities affect WebKit, the browser engine that quietly underpins much of Apple’s software ecosystem, from Safari to in app browsers embedded across iOS.

In a security bulletin released this week, Apple said the flaws were used against users running versions of iOS prior to iOS 26. While the company offered few details about the attackers or their targets, the language alone signals a serious escalation. Apple typically reserves this phrasing for high end operations that blur the line between cybercrime and state sponsored surveillance.

One of the bugs, tracked as CVE 2025 43529, allows remote code execution through maliciously crafted web content. The issue was identified by Google’s Threat Analysis Group, a unit known for investigating attacks tied to government backed hacking groups. Because WebKit powers not just Safari but also Mail, the App Store, and countless in app browsers, exploitation does not require users to install suspicious software. Simply loading a compromised webpage could be enough.

The second flaw, CVE 2025 14174, is another WebKit issue that can lead to memory corruption. Apple says it was discovered through a joint effort between its own security teams and Google’s Threat Analysis Group. Together, the two bugs create an unusually broad attack surface across iPhones, iPads, Macs, and even Apple TV and Vision Pro devices.

Affected hardware includes iPhone 11 models and newer, multiple generations of iPad Pro, iPad Air, standard iPads from the eighth generation onward, and recent iPad mini devices. Apple has since patched the vulnerabilities across a wide range of platforms, including iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, and Safari 26.2. Older supported branches such as iOS 18.7.3 also received fixes.

Security professionals say the scope of the update alone should raise alarms.

“iOS 26.2 is a priority security update. Apple has confirmed two WebKit vulnerabilities may already have been exploited in an extremely sophisticated, targeted attack against individuals on versions of iOS prior to iOS 26,” said Adam Boynton, Senior Security Strategy Manager at Jamf.

“As WebKit underpins Safari and the in app browsers used across iOS, these issues can be triggered simply by processing maliciously crafted web content,” Boynton said.

Boynton added that the WebKit bugs are not the only concern addressed in this release. “The key fixes are CVE 2025 43529, which may enable arbitrary code execution, and CVE 2025 14174, which may cause memory corruption. Apple also patched a kernel issue, CVE 2025 46285, that could allow a malicious app to gain root privileges, which is particularly serious because it can let an attacker break out of normal app boundaries.”

The inclusion of a kernel level fix suggests Apple may be closing off a potential exploit chain rather than a single isolated bug. In past campaigns, attackers have combined WebKit flaws with kernel vulnerabilities to achieve full device compromise, particularly against journalists, activists, and political figures.

There are hints that Apple’s issues may overlap with problems elsewhere in the browser ecosystem. Google recently issued Chrome updates for multiple security bugs, noting that one was actively exploited. That disclosure was later updated to credit Apple’s security engineering team and Google’s Threat Analysis Group for uncovering the issue. While there is no public confirmation that the bugs are directly related, the overlap points to a shared threat environment targeting modern browser engines.

For users, the immediate guidance is straightforward. Install the updates directly through system settings rather than clicking links or pop ups that claim to offer patches. Apple recommends navigating to Settings, then General, then Software Update. Automatic updates help, but experts caution against assuming they will deploy instantly.

“The practical advice is simple: update your devices now from Settings > General > Software Update. Avoid updating via links or pop ups, and do not rely on auto updates alone in the first days after a patch is released,” Boynton said.

He also warned that the days immediately following disclosure are often the most dangerous. “If you manage fleets, set an enforced update deadline and monitor compliance because this is the exact window attackers exploit. If you are a high risk individual, for example a journalist or someone that receives threat notifications, then you could also consider Lockdown Mode and reduce link clicking until your devices are fully patched.”

Apple has not attributed the attacks or shared how many people were targeted. That silence is typical, but it leaves open the bigger question of how often elite exploits circulate quietly before the public ever hears about them. For now, the message is clear. In a threat landscape where browsers double as operating systems and web content can be weaponized at scale, delaying a security update is no longer a neutral choice.