Apple has released critical security updates for a wide range of its operating systems and devices, including iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari, to patch two actively exploited security vulnerabilities. The urgent patches were issued on Friday, December 13, 2025, to address flaws that Apple stated may have already been used in “extremely sophisticated attacks” targeting specific individuals. This discovery adds to a growing number of zero-day vulnerabilities Apple has had to remediate in 2025.
The vulnerabilities, identified as CVE-2025-43529 and CVE-2025-14174, underscore the ongoing cat-and-mouse game between cybersecurity researchers and threat actors. The rapid response from Apple, alongside similar patches from Google for its Chrome browser earlier in the week, highlights the critical nature of these exploits and the potential reach of sophisticated cyber threats.
Apple Addresses Actively Exploited Zero-Day Vulnerabilities
The first addressed vulnerability, CVE-2025-43529, is a use-after-free flaw within Apple’s WebKit rendering engine. This type of vulnerability can allow an attacker to execute arbitrary code by compelling a user to process maliciously crafted web content. While Apple has not assigned a CVSS score to this specific flaw, its exploitation in the wild indicates a high degree of risk.
The second, CVE-2025-14174, is a more severe memory corruption issue in WebKit, carrying a CVSS score of 8.8, signifying a high severity. This flaw could also lead to arbitrary code execution through the processing of malicious web content. Notably, this is the same vulnerability that Google addressed in its Chrome browser on December 10, 2025. Google described it as an out-of-bounds memory access vulnerability within its open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically impacting its Metal renderer.
Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) are credited with the discovery and reporting of these vulnerabilities. TAG alone is credited with finding CVE-2025-43529. The fact that both vulnerabilities affect WebKit is significant. WebKit serves as the foundation for all third-party web browsers on iOS and iPadOS, including popular options like Chrome, Microsoft Edge, and Mozilla Firefox. This shared component means that exploiting these flaws could potentially compromise a vast number of users across different applications.
Implications of Sophisticated Exploitation
Apple’s advisory indicates that these vulnerabilities “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” This suggests that the exploits were likely part of highly targeted, mercenary spyware campaigns. Such attacks are often employed by state-sponsored actors or sophisticated criminal organizations to gain access to the devices of specific individuals, such as journalists, activists, or political figures.
The reliance on shared code like WebKit means that patches for these zero-day exploits will benefit a broad spectrum of users, not just those utilizing Apple’s native applications. However, the targeted nature of these attacks means that individuals who are not considered high-value targets may not have been directly affected, though the potential for widespread compromise remains a concern.
Devices and Versions Affected by the Security Updates
Apple has released specific updates to address these vulnerabilities across its ecosystem. For the latest iPhone and iPad models, the updates are iOS 26.2 and iPadOS 26.2, applicable to devices such as the iPhone 11 and later, and a range of iPad models including the iPad Pro 12.9-inch (3rd generation and later). Older yet still supported devices, including the iPhone XS and later, have received updates in the form of iOS 18.7.3 and iPadOS 18.7.3.
Mac users running macOS Tahoe are protected by macOS Tahoe 26.2. Apple TV users can secure their devices with tvOS 26.2, covering all models of Apple TV HD and Apple TV 4K. For Apple Watch users, watchOS 26.2 is available for Apple Watch Series 6 and later. The newly introduced visionOS also receives a security update with visionOS 26.2 for all Apple Vision Pro models. Lastly, Safari users on macOS Sonoma and macOS Sequoia can update to Safari 26.2 to patch these risks.
With these December updates, Apple has now addressed nine zero-day vulnerabilities that have been exploited in the wild throughout 2025. Other notable zero-days patched this year include CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300. This trend suggests an active threat landscape and a continued focus by attackers on finding and exploiting previously unknown weaknesses in popular software and hardware.
Users are strongly advised to apply these updates immediately to protect their devices from potential exploitation. The ongoing discovery of zero-day vulnerabilities highlights the importance of maintaining up-to-date software and continuing vigilance in cybersecurity practices.