Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportApple has released emergency security updates to address two actively exploited zero-day vulnerabilities in its WebKit browser engine, tracked as CVE-2025-43529 and CVE-2025-14174, affecting Safari and all browsers on iOS and iPadOS platforms. These critical Apple WebKit zero-day vulnerabilities affect WebKit on macOS and other Apple platforms including watchOS, tvOS, and visionOS, and can be triggered simply by visiting a maliciously crafted webpage without requiring additional user interaction. Apple confirmed the WebKit vulnerabilities were used in highly sophisticated, targeted attacks against specific individuals, potentially enabling remote code execution on compromised Apple devices. CVE-2025-43529 is a use-after-free vulnerability in WebKit that allows attackers to manipulate memory state and execute arbitrary code when crafted web content is processed. CVE-2025-14174 is a memory corruption issue tied to the ANGLE graphics abstraction layer used in WebKit, originally observed and patched by Google in Chrome before being disclosed as a shared CVE affecting multiple browser platforms. Because WebKit is mandatory for all third-party browsers on iOS and iPadOS, these Apple zero-day flaws extend beyond Safari to any browser on those platforms that relies on WebKit for web content rendering. The ANGLE-related memory corruption aspect of CVE-2025-14174 highlights that the underlying vulnerability has cross-browser implications beyond Apple’s technology stack, also affecting Google Chrome and Microsoft Edge on macOS platforms. Given the confirmed in-the-wild exploitation and broad platform impact across iOS, iPadOS, macOS, watchOS, tvOS, and visionOS, immediate patching is critical to reduce the risk of Apple device compromise through drive-by attacks. Apple released patches in iOS/iPadOS 26.2 and 18.7.3 for older devices, macOS Tahoe 26.2, Safari 26.2, and updated versions of tvOS, watchOS, and visionOS to remediate these actively exploited WebKit zero-day vulnerabilities.
Apple has released emergency security updates across its entire platform stack to remediate two actively exploited zero-day vulnerabilities in its WebKit browser engine, tracked as CVE-2025-43529 and CVE-2025-14174. These critical flaws affect WebKit, the rendering engine behind Safari and all browsers on iOS and iPadOS platforms, meaning that virtually any web content rendered in these environments could trigger the vulnerabilities. Apple confirmed that at least one of the WebKit bugs was used in highly sophisticated real-world attacks against specific targeted individuals before security patches were available, underscoring the immediate risk posed by both zero-day issues.
CVE-2025-43529 is a use-after-free vulnerability in Apple WebKit. A use-after-free occurs when a program continues to use memory after it has been released, potentially allowing an attacker to manipulate memory state and execute arbitrary code when crafted web content is processed by Safari or other WebKit-based browsers. This kind of memory corruption flaw is often a key component in remote exploitation chains targeting Apple devices. The vulnerability can be triggered when the browser loads maliciously crafted web content, with no additional application installation required by victims.
CVE-2025-14174 is a memory corruption issue tied to the ANGLE graphics abstraction layer used in WebKit for rendering graphics content. Originally observed and patched by Google in Chrome, this vulnerability was subsequently disclosed as a shared CVE affecting multiple browser implementations beyond Google’s technology stack. Both Apple WebKit zero-day vulnerabilities can be triggered when the browser loads maliciously crafted web content through drive-by attacks, with no additional user interaction beyond visiting a compromised or malicious website.
Because WebKit is mandatory for all third-party browsers on iOS and iPadOS by Apple’s platform requirements, these zero-day flaws extend beyond Safari to any browser on those platforms that relies on WebKit for web content rendering. The vulnerabilities also affected WebKit on macOS and other Apple operating systems such as tvOS, watchOS, and visionOS. The ANGLE-related memory corruption aspect of CVE-2025-14174, shared with Chrome’s implementation, highlights that the underlying issue has significant cross-browser implications beyond just Apple’s technology stack, also affecting Google Chrome version 143.0.7499.110 and Microsoft Edge version 143.0.3650.80 on macOS platforms.
To address these high-severity WebKit zero-day issues, Apple released security patches in iOS/iPadOS 26.2 and 18.7.3 for older devices, macOS Tahoe 26.2, Safari 26.2, and updated versions of tvOS 26.2, watchOS 26.2, and visionOS 26.2. Users and administrators are strongly urged to apply these Apple security updates immediately because unpatched devices remain vulnerable to code execution and complete device compromise via crafted web pages delivered through drive-by attacks or targeted exploitation campaigns.
Organizations must ensure all Apple devices are updated to the latest patched versions immediately, including iOS/iPadOS 26.2 or 18.7.3 for older devices, macOS Tahoe 26.2, Safari 26.2, and corresponding updates for watchOS 26.2, tvOS 26.2, and visionOS 26.2. Unpatched Apple systems remain vulnerable to remote exploitation via maliciously crafted web content delivered through WebKit zero-day vulnerabilities. Implement mobile device management solutions to enforce automatic update policies across enterprise Apple device deployments.
Organizations must update Google Chrome to version 143.0.7499.110 or later and Microsoft Edge to version 143.0.3650.80 or later on macOS platforms, as CVE-2025-14174 affects the shared ANGLE graphics engine used across multiple browsers beyond Apple’s WebKit implementation. Verify that all Chromium-based browsers deployed on macOS systems receive appropriate security patches addressing the ANGLE memory corruption vulnerability.
Organizations should monitor endpoints and mobile device logs for abnormal browser crashes, WebKit or GPU process failures, and unusual WebGL activity patterns that may indicate Apple zero-day exploitation attempts. Implement endpoint detection and response solutions capable of identifying memory corruption exploitation techniques and unexpected process terminations associated with browser rendering engine attacks targeting WebKit vulnerabilities.
Organizations should enforce web filtering where operationally possible, educate users against clicking untrusted links, and consider enabling Apple Lockdown Mode for users at elevated risk until patching is fully completed across all Apple devices. Lockdown Mode provides additional protections against sophisticated attacks targeting WebKit and other Apple platform components, though it may impact some device functionality and should be deployed strategically for high-risk users.
TA0042 – Resource Development
TA0001 – Initial Access
TA0002 – Execution
TA0004 – Privilege Escalation
TA0005 – Defense Evasion
TA0006 – Credential Access
User Execution
https://support.apple.com/en-us/100100 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125884 https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-14174 https://hivepro.com/threat-advisory/google-chrome-zero-day-exploited-in-angle-graphics-engine/
Get through updates and upcoming events, and more directly in your inbox