InfoSecBulletin Cybersecurity for mankind
Apple has urgently patched two critical zero-day vulnerabilities in the WebKit browser engine affecting iPhone and iPad users. The company revealed these flaws are actively exploited, enabling advanced attacks on high-risk targets. Vulnerabilities CVE-2025-43529 and CVE-2025-14174 let attackers run malicious code if a victim visits a specific web page.
WebKit powers Safari and displays web content on iOS devices, making it vulnerable to attacks due to its extensive role. An attacker does not need physical access to the device; processing “maliciously crafted web content”—such as a compromised website or a malicious ad—is enough to trigger the exploit.
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
Security Update: RoguePlanet, BitLocker Bypass, Chromium Zero-Day, and More Critical Threats Uncovered
73 Microsoft Packages Compromised in Password Stealer Attack
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the Wild
AI-designed First ‘universal vaccine’ tested in humans
China Unveils First Prefabricated Data Center Base, Reducing Construction Time by 70%
Apple’s advisory for both bugs uses identical, alarming language regarding their active exploitation:
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”
This phrasing usually indicates targeted attacks by sophisticated groups against important individuals.
CVE-2025-43529 (Use-After-Free): The Google Threat Analysis Group (TAG) found a “use-after-free” vulnerability. This occurs when a program tries to use memory that has already been cleared, allowing hackers to run code. Apple fixed this by enhancing memory management (WebKit Bugzilla: 302502).
CVE-2025-14174 (Memory Corruption): This issue, affecting both Apple and Google TAG, can lead to memory corruption, which might crash systems or allow attackers access. It was fixed through better input validation (WebKit Bugzilla: 303614).
The vulnerability impacts various modern Apple mobile devices. If you have one of the following, your device is at risk until updated:
iPhone: iPhone 11 and later
iPad Pro: 12.9-inch (3rd gen+), 11-inch (1st gen+)
iPad Air: 3rd gen and later
iPad: 8th gen and later
iPad mini: 5th gen and later
Now that the patches are available, other hackers may try to analyze the fixes to create their own attacks. Users should update to iOS 26 (or the latest version available in Settings) right away.
