Threat Advisories:
Apple Zero-Day Exploited in Targeted Attacks (CVE-2026-20700) Microsoft’s February 2026 Patch Tuesday Fixes Active Zero-Day Exploits Critical API Flaw Puts SmarterMail Servers at Risk TGR-STA-1030: Global State-Aligned Cyber Espionage Campaign Transparent Tribe Targets India’s Startup Ecosystem with Crimson RAT Amaranth-Dragon: Low Noise, High Impact Espionage in Southeast Asia Web Traffic Hijacking via Malicious NGINX Configuration Injection DEAD#VAX: AsyncRAT Deployment via IPFS-Hosted VHD Phishing Operation Neusploit: APT28 Weaponizes CVE-2026-21509 Chrysalis Backdoor: A Quiet Passenger in Notepad++ Updates One Click to Compromise: Inside OpenClaw’s Critical RCE Flaw Attackers Hijack Open VSX Extensions to Spread GlassWorm Malware UAT-8099 Cybercrime Group Leverages BadIIS Ivanti Patches Actively Exploited EPMM Flaws CVE-2026-24858: Critical FortiCloud SSO Zero-day Under Active Exploitation TA584 and the Business of Breach: Selling Access at Scale Mustang Panda Enhances CoolClient for Stealth and Surveillance Instant Root Access via CVE-2026-24061: A Decade-Old Bug Comes Alive Gopher Strike and Sheet Attack Campaigns Targeting Indian Government January 2026 Linux Patch Roundup
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Apple Zero-Day Exploited in Targeted Attacks (CVE-2026-20700)

Red | Vulnerability Report
Download PDF

Summary

Apple has released emergency security updates addressing CVE-2026-20700 (CWE-119), a critical memory corruption vulnerability in dyld (Dynamic Link Editor), the fundamental system component responsible for loading and linking dynamic libraries at runtime across all Apple operating system platforms. The vulnerability has been confirmed as actively exploited in an extremely sophisticated, targeted attack campaign directed against specific high-profile individuals on iOS devices running versions prior to iOS 26. This zero-day represents a significant threat as it undermines Apple’s foundational security architecture by compromising the trust chain before runtime security protections can be initialized.

CVE-2026-20700 stems from improper state management within the dyld component during the dynamic library loading process. The vulnerability allows an attacker who has already achieved memory write capability on a target device through a separate vulnerability or exploit chain to leverage this dyld flaw to execute arbitrary code by corrupting dyld’s internal state. This corruption enables attackers to effectively hijack control flow during the library loading process, redirecting execution to malicious shellcode before critical security mechanisms including code signing verification, application sandboxing, and Address Space Layout Randomization (ASLR) are fully initialized.

The significance of compromising dyld cannot be overstated: it represents the first component that executes when any application launches on Apple platforms, making it the foundation upon which all subsequent security layers depend. By corrupting dyld state during this critical early execution phase, attackers can inject and execute malicious payloads before the operating system’s defensive mechanisms have an opportunity to validate code integrity or enforce security policies. This effectively bypasses Apple’s entire chain of trust, rendering most runtime security protections ineffective and providing attackers with near-complete control over the compromised device.

Apple confirmed active exploitation targeting specific individuals in what the company characterizes as an extremely sophisticated attack campaign. The vulnerability is part of a multi-stage exploit chain that includes two previously patched WebKit vulnerabilities: CVE-2025-14174 (out-of-bounds memory access in WebKit) and CVE-2025-43529 (use-after-free vulnerability in WebKit), both patched in December 2025. Google Threat Analysis Group (TAG), which specializes in tracking government-backed cyber threats and targeted surveillance operations, discovered and reported all three vulnerabilities to Apple. The involvement of Google TAG strongly suggests nation-state threat actor involvement and indicates this exploit chain has been used in targeted surveillance campaigns against individuals of strategic intelligence interest.

The affected products span Apple’s entire operating system ecosystem including iOS and iPadOS (mobile devices), macOS Tahoe (desktop/laptop computers), tvOS (Apple TV devices), watchOS (Apple Watch wearables), and visionOS (Apple Vision Pro mixed reality headsets). Apple addressed the vulnerability through improved state management mechanisms in iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3. CISA has added CVE-2026-20700 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by specified deadlines and signaling confirmed active exploitation by threat actors.

Vulnerability Details (Condensed)

Technical Root Cause: Memory corruption in dyld (Dynamic Link Editor) due to improper state management during dynamic library loading process. Enables arbitrary code execution when attacker has memory write primitive.

Exploitation Requirements: Requires initial memory write capability achieved through separate vulnerability (exploit chain). CVE-2026-20700 is the privilege escalation/defense evasion component, not the initial access vector.

Security Impact: Compromises foundation of Apple’s security architecture. dyld executes before code signing, sandboxing, ASLR initialization, allowing attackers to inject payloads that bypass all runtime protections.

Confirmed Exploitation: Actively exploited in targeted attacks against specific high-profile individuals. Part of multi-CVE exploit chain including CVE-2025-14174 and CVE-2025-43529 (WebKit vulnerabilities patched December 2025).

Attribution Indicators: Google Threat Analysis Group (government-backed threat tracking) reported vulnerabilities, strongly indicating nation-state actor involvement in targeted surveillance.

Affected Ecosystem: iOS, iPadOS, macOS Tahoe, tvOS, watchOS, visionOS (entire Apple platform range).

Recommendations

  1. Emergency Patching Across All Apple Devices – Update to iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, visionOS 26.3 immediately via MDM
  2. Prioritize High-Value Targets – Executives, government officials, journalists, human rights workers at elevated risk for targeted surveillance
  3. Enable Automatic Updates – Reduce exposure window for future zero-days on all organizational and BYOD devices
  4. Verify December 2025 WebKit Patches – Confirm CVE-2025-14174 and CVE-2025-43529 patches applied (exploit chain dependencies)
  5. Post-Patch Security Assessment – Review logs for dyld exploitation indicators, anomalous code execution on Apple devices

MITRE ATT&CK TTPs

Initial Access: T1189 (Drive-by Compromise) | Execution: T1203 (Exploitation for Client Execution) | Privilege Escalation: T1068 (Exploitation for Privilege Escalation) | Defense Evasion: T1211 (Exploitation for Defense Evasion), T1574.004 (Dylib Hijacking), T1574.006 (Dynamic Linker Hijacking)

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox