Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers actively exploited in highly targeted attacks. The company described the activity as an "extremely sophisticated attack" aimed at specific individuals, suggesting spyware-style operations rather than widespread cybercrime.
What Happened
The two vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks. According to Apple's security bulletin, the flaws were abused on versions of iOS released before iOS 26, and the attacks were limited to "specific targeted individuals." The company acknowledged that it was aware of reports confirming active exploitation in the wild.
The first flaw, CVE-2025-43529, is a WebKit use-after-free vulnerability that can lead to arbitrary code execution when a device processes maliciously crafted web content. This allows attackers to run their own code on a device by tricking the browser into mishandling memory. Apple credited Google's Threat Analysis Group with discovering this flaw, which is often a strong indicator of nation-state or commercial spyware activity.
The second flaw, CVE-2025-14174, is also a WebKit issue, involving memory corruption. While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to fully compromise a device. Apple says this issue was discovered jointly by Apple and Google's Threat Analysis Group.
Background and Context
The WebKit engine is used in Safari and all browsers on iOS, making the risk significant. In some cases, simply visiting a malicious webpage may be enough to trigger an attack. The fact that these vulnerabilities were exploited in highly targeted attacks suggests that they may have been used by commercial spyware vendors, which are known to target Android, iOS, macOS, Chrome, and WhatsApp.
Google last week announced patches for a mysterious Chrome zero-day, which is now identified as CVE-2025-14174. The company said it had seen an exploit in the wild, but the flaw initially did not have a CVE identifier or any description, other than a 'high severity' rating. Google has updated its original advisory to clarify that the previously unidentified zero-day is CVE-2025-14174.
The Angle library, which is used by both Chrome's Blink browser engine and WebKit, is impacted by this vulnerability. Because of this, both Google and Apple products are affected. Microsoft has already updated Edge to address CVE-2025-14174, and Vivaldi has also been updated to patch the zero-day.
Why It Matters to the Industry
The fact that these vulnerabilities were exploited in highly targeted attacks is concerning for adult-industry platforms and operators. The use of commercial spyware vendors to target specific individuals suggests that attackers may be using sophisticated tactics to compromise devices. This could lead to a range of issues, including data breaches, unauthorized access, and even the spread of malware.
The fact that these vulnerabilities were discovered by Apple's own security team and Google's Threat Analysis Group highlights the importance of collaboration between companies in addressing cybersecurity threats. The use of WebKit and Angle libraries across multiple platforms means that a single vulnerability can have far-reaching consequences.
What Comes Next
The release of emergency security updates by Apple is a positive step in addressing these vulnerabilities. However, the fact that these flaws were exploited in highly targeted attacks suggests that attackers may still be using them to compromise devices. It is essential for adult-industry platforms and operators to stay vigilant and ensure that their systems are up-to-date with the latest security patches.
The use of commercial spyware vendors to target specific individuals highlights the need for robust cybersecurity measures, including regular updates, secure access controls, and comprehensive threat detection. By staying informed about emerging threats and taking proactive steps to address them, adult-industry platforms and operators can reduce their risk of compromise and protect their users' data.
Key Facts
- Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers actively exploited in highly targeted attacks.
- The vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and affect WebKit, the browser engine used in Safari and all browsers on iOS.
- Apple credited Google's Threat Analysis Group with discovering the first flaw, which is often a strong indicator of nation-state or commercial spyware activity.
- The Angle library, used by both Chrome's Blink browser engine and WebKit, is impacted by this vulnerability.
- Microsoft has already updated Edge to address CVE-2025-14174, and Vivaldi has also been updated to patch the zero-day.