December 26th, 2025

Active Exploitation of Apple WebKit Zero-Days (CVE-2025-43529 & CVE-2025-14174)

High

Our Cyber Threat Intelligence Unit is tracking active exploitation of two zero-day vulnerabilities in Apple’s WebKit browser engine: CVE-2025-43529 and CVE-2025-14174. These were first reported in the wild in early December 2025 and later confirmed by Apple and independent security researchers. Apple released emergency security updates on December 12, 2025, for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari on macOS after evidence showed these vulnerabilities were used in extremely sophisticated, targeted attacks against specific individuals before patches were available. Both vulnerabilities allow arbitrary code execution when victims load maliciously crafted web content in WebKit-based browsers (including Safari and all browsers on iOS/iPadOS). Given confirmed in-the-wild exploitation and the potential for complete device compromise, rapid patching is strongly advised.

Technical Details

Attack Type: Remote exploitation of WebKit via malicious web content.
Severity: High.
CVE Tags:
- CVE-2025-14174: WebKit memory corruption vulnerability associated with the same underlying issue patched earlier by Google Chrome (ANGLE component).
- CVE-2025-43529: WebKit use-after-free vulnerability enabling arbitrary code execution.
Affected Components / Platforms:
- WebKit browser engine (Safari and all iOS/iPadOS browsers).
- Patched baselines include:
  - iOS / iPadOS 26.2 and 18.7.3
  - macOS Tahoe 26.2
  - watchOS 26.2
  - tvOS 26.2
  - visionOS 26.2
  - Safari 26.2 for macOS
Exploitation Timeline:
- Early December 2025: In-the-wild exploitation activity identified.
- 10 December 2025: Google patches the related ANGLE issue assigned CVE-2025-14174.
- 12 December 2025: Apple issues platform-wide security updates addressing both WebKit vulnerabilities.
Attack Vector: Victims are targeted via malicious or specially crafted web content that triggers memory corruption in WebKit when rendered. Successful exploitation allows remote arbitrary code execution with no additional interaction beyond viewing the content.

Impact

Successful exploitation may result in:

Remote arbitrary code execution.
Full compromise of device confidentiality and integrity.
Credential and data theft.
Long-term surveillance or persistence.
Broader enterprise compromise via managed Apple endpoints.

Organizations with unpatched high-value users (executives, legal, political, journalists, diplomats, researchers) face elevated risk.

Detection Method

Security teams should:

Identify devices running versions prior to:
- iOS / iPadOS 26.2 or 18.7.3
- macOS Tahoe 26.2
- tvOS 26.2
- watchOS 26.2
- visionOS 26.2
- Safari 26.2 for macOS
Monitor for abnormal Safari/WebKit crashes or memory exceptions.
Enable EDR/XDR behavioral detections focused on:
- Browser process anomalies.
- Unusual child process execution.
- Suspicious WebKit activity patterns.
Correlate web access logs with endpoint telemetry around crash events.

Indicators of Compromise

There are No Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Patch & Update:
- Apply Apple’s latest security updates immediately.
- Verify patch compliance via MDM/EMM platforms.
- Enforce automatic OS and browser updates.
Harden High-Risk Users:
- Prioritize executives, journalists, activists, and government-aligned roles.
- Consider temporary browsing restrictions until fully patched.
Enhance Monitoring:
- Increase scrutiny of web proxy and endpoint telemetry.
- Monitor for abnormal WebKit execution or crash signatures.
- Review devices with historically deferred OS updates.
Coordinate & Communicate:
- Align SOC, IR, IT, and MDM response workflows.
- Track patch coverage and exceptions.
- Share findings internally and with trusted partners as appropriate.

Conclusion

These WebKit vulnerabilities, CVE-2025-43529 and CVE-2025-14174, are confirmed zero-day exploits in the wild that allow arbitrary code execution via malicious web content. The highly targeted, sophisticated nature of the attacks, along with confirmed pre-patch exploitation, elevates operational risk, particularly for high-value users. We urge organizations and individuals to treat remediation as urgent, ensure full update coverage across Apple fleets, and maintain heightened monitoring for potential browser exploitation-related behaviors.

References

https://support.apple.com/en-us/125884
https://thehackernews.com/2025/12/apple-issues-security-updates-after-two.html https://www.securityweek.com/apple-patches-two-zero-days-tied-to-mysterious-exploited-chrome-flaw/

https://www.techradar.com/pro/security/apple-says-it-fixed-zero-day-flaws-used-for-sophisticated-attacks

https://cybernews.com/security/ios-26-2-iphone-security-update/ https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/
https://www.webpronews.com/google-and-apple-patch-exploited-zero-day-vulnerabilities-in-urgent-update
https://www.darkreading.com/vulnerabilities-threats/apple-patches-more-zero-days-sophisticated-attack

https://www.helpnetsecurity.com/2025/12/15/ios-macos-cve-2025-14174-cve-2025-43529/

https://nvd.nist.gov/vuln/detail/CVE-2025-43529

https://nvd.nist.gov/vuln/detail/CVE-2025-14174