Apple Rushes iOS 26.2 Update to Patch Two Actively Exploited Zero-Days
Apple Issues Emergency iOS 26.2 Update to Fix Two Zero-Day Flaws Used in Targeted Spyware Attacks
CVE Identifiers
Full Report
Executive Summary
Apple has released an emergency out-of-band security update, iOS 26.2 and iPadOS 26.2, to address two critical zero-day vulnerabilities that are being actively exploited in the wild. The flaws, CVE-2025-43529 and CVE-2025-14174, exist in the WebKit browser engine and can be triggered by maliciously crafted web content, leading to arbitrary code execution. Apple states it is aware of reports that these flaws have been used in targeted spyware attacks against specific individuals. The update also patches a total of 26 flaws, including a kernel vulnerability that could allow for full device takeover. Due to the active exploitation, all users are strongly advised to apply the update without delay.
Vulnerability Details
The two actively exploited zero-day vulnerabilities reside within WebKit, the browser engine that powers Safari and other web-rendering applications on Apple's platforms.
CVE-2025-43529: This is a use-after-free vulnerability in WebKit. By processing specially crafted web content, an attacker can trigger this memory corruption flaw to execute arbitrary code on the target device. This is a classic vector for browser-based exploits, allowing attackers to gain an initial foothold on a device simply by convincing a user to visit a malicious website.
CVE-2025-14174: This is a memory corruption issue within the ANGLE (Almost Native Graphics Layer Engine) component of WebKit, which is used for rendering WebGL content. This vulnerability was also reported as a zero-day in Google Chrome and was jointly attributed to Apple's security team and Google's Threat Analysis Group (TAG). The coordinated disclosure suggests the flaw was being exploited across multiple platforms.
In addition to the zero-days, the update patches CVE-2025-46285, a flaw in the iPhone Kernel that could allow a malicious application to gain root privileges. This type of vulnerability is often used as a second-stage exploit after initial access is gained, allowing an attacker to escalate privileges and take complete control of the device.
Affected Systems
The vulnerabilities affect a wide range of Apple products. Users are urged to update to the latest software versions:
- iOS 26.2 and iPadOS 26.2
- macOS Sonoma 15.2
- tvOS 18.2
- watchOS 11.2
- visionOS 2.2
- Safari 18.2
Any devices running versions of iOS prior to 26.2 are considered vulnerable to the zero-day exploits.
Exploitation Status
Apple has confirmed that it is "aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals." The language used strongly suggests targeted deployment by nation-state actors or high-end mercenary spyware vendors against high-profile targets such as journalists, activists, and government officials. Now that the vulnerabilities are public, security experts warn that less sophisticated threat actors will likely reverse-engineer the patch and develop exploits for wider use.
Impact Assessment
The impact of these vulnerabilities is severe. Successful exploitation of the WebKit flaws (CVE-2025-43529 and CVE-2025-14174) provides an attacker with remote code execution capabilities within the context of the browser. When chained with the kernel privilege escalation flaw (CVE-2025-46285), an attacker can achieve a full device compromise. This would allow them to install persistent spyware, exfiltrate sensitive data (messages, emails, photos), access the microphone and camera, and monitor all user activity without their knowledge. For enterprise environments, a compromised device can serve as a pivot point into corporate networks.
Cyber Observables for Detection
Detecting exploitation of these flaws on-device is difficult without advanced EDR/MDR solutions for mobile. However, security teams can hunt for related activity:
| Type | Value | Description |
|---|---|---|
| process_name | WebContent |
Monitor for anomalous child processes spawned by the WebContent process on macOS or suspicious behavior in mobile EDR. |
| network_traffic_pattern | Unusual connections from Safari/browser processes | Look for connections to unknown or suspicious domains, especially after a user visits a new or untrusted website. |
| event_id | (Varies by EDR) | Hunt for privilege escalation events originating from browser-related processes to root. |
Detection & Response
- Device Inventory: Use Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solutions to immediately query all managed devices and identify those not running iOS 26.2, iPadOS 26.2, or the other patched OS versions.
- Log Analysis: For organizations with network visibility, analyze proxy and DNS logs for connections from corporate iOS devices to known malicious infrastructure or newly registered domains. This can help identify potential initial access attempts. Reference D3FEND technique
Network Traffic Analysis. - Endpoint Detection: On macOS, EDR solutions should be configured to alert on suspicious child processes spawned by Safari or other browsers. For example, a
WebContentprocess launching a shell or downloading additional payloads. Reference D3FEND techniqueProcess Analysis.
Mitigation
- Immediate Patching: The primary and most critical mitigation is to update all affected Apple devices to the latest software versions. This should be treated as an emergency patch. Use MDM/UEM to enforce updates where possible.
- User Awareness: Inform high-risk users (executives, system administrators, etc.) about the threat and advise them to be extra cautious about clicking links from unknown sources.
- Restrict Web Content: For managed devices, consider using web filtering solutions to block access to uncategorized or newly registered domains to reduce the attack surface. Reference D3FEND countermeasure type
Harden.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Applying the iOS 26.2 and other corresponding updates is the most direct and effective mitigation.
Mapped D3FEND Techniques:
Restrict Web-Based Content
Using web filters to block malicious or untrusted websites can prevent users from accessing the content needed to trigger the exploit.
Antivirus/Antimalware
Mobile Threat Defense (MTD) solutions may detect post-exploitation behavior or known spyware payloads.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The most critical defensive action is to enforce immediate software updates across all managed and unmanaged Apple devices. For corporate environments, utilize Mobile Device Management (MDM) or Unified Endpoint Management (UEM) platforms to push the iOS 26.2, iPadOS 26.2, and macOS Sonoma 15.2 updates. Configure policies to enforce the update within a strict timeframe (e.g., 24-48 hours) and restrict access to corporate resources for non-compliant devices. For high-risk individuals, such as executives and system administrators, direct communication and manual verification of the update are recommended. This action directly remediates the root cause of the threat by patching the vulnerable WebKit and Kernel components, making exploitation of these specific CVEs impossible. Verify successful deployment by running compliance reports in your MDM/UEM dashboard to confirm all devices are on the patched versions.
While patching is paramount, network-level detection provides a crucial secondary layer of defense to identify potential compromises. Implement network traffic analysis focused on egress traffic from mobile device subnets. Since the exploit is delivered via web content, security teams should monitor for connections to suspicious or newly registered domains (NRDs). Pay close attention to traffic patterns from devices belonging to high-profile users. Establish a baseline of normal browsing behavior and alert on anomalies, such as connections to IP addresses in unusual geolocations or data transfers that deviate from the norm. This can help detect the initial connection to the exploit server or subsequent command-and-control (C2) communication from a compromised device. Use tools like Zeek or commercial Network Detection and Response (NDR) platforms to analyze traffic and flag suspicious sessions.
On macOS endpoints, which are also affected via Safari, leverage an Endpoint Detection and Response (EDR) solution to monitor for anomalous process behavior originating from Safari or its WebContent child processes. A successful WebKit exploit would likely involve the browser process spawning a shell (/bin/sh, /bin/zsh), executing a script interpreter (python, perl), or making suspicious network connections to download a second-stage payload. Configure EDR alerts for these specific behaviors. For the kernel flaw, monitor for any process that unexpectedly gains root privileges. While direct process analysis on iOS is restricted, Mobile Threat Defense (MTD) solutions can achieve a similar outcome by monitoring for malicious profiles, application-level anomalies, and other indicators of compromise that signal post-exploitation activity.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats