Apple Issues Emergency Security Update for Two Zero-Day Vulnerabilities Exploited in Targeted Attacks

Apple has released an emergency security patch to fix two zero-day vulnerabilities that were being actively exploited in highly targeted attacks.

The flaws, identified as CVE-2025-43529 and CVE-2025-14174, exist within WebKit, the browser engine that powers Safari and is used to display web content in many Apple applications. Because WebKit is so tightly integrated into the operating system, attackers could exploit these flaws simply by enticing users to visit a specially crafted website. No further interaction beyond loading the page would be necessary.

CVE-2025-43529 is a use-after-free vulnerability. This type of flaw occurs when software attempts to access memory after it has been freed, providing a potential avenue for attackers to execute arbitrary code. Google's Threat Analysis Group (TAG), which focuses on identifying sophisticated threats, discovered this vulnerability.

The second vulnerability, CVE-2025-14174, involves memory corruption. Apple and Google TAG researchers jointly identified this flaw, which could allow maliciously crafted web content to corrupt device memory, potentially leading to exploitation.

Security experts point out that the involvement of Google’s Threat Analysis Group, known for its work tracking state-sponsored actors, suggests that these attacks may be similar to other high-precision surveillance campaigns involving spyware.