Apple says it fixed zero-day flaws used for 'sophisticated' attacks

• Apple patches two WebKit zero‑days (CVE‑2025‑43529 and CVE‑2025‑14174) used in a highly targeted attack
• Flaws were jointly uncovered by Google TAG and Apple, with Chrome receiving a parallel fix
• Updates span iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari, with users urged to patch quickly

Apple fixed two zero-day vulnerabilities exploited in an “extremely sophisticated attack” which, all things considered, could have been a cyber-espionage attack against one, or a handful of, high-profile individuals.

In a new security advisory, Apple said it deployed a patch for a use-after-free remote code execution (RCE) vulnerability in WebKit, as well as a WebKit memory corruption flaw.

WebKit is Apple’s browser engine responsible for rendering web pages. It powers Safari on macOS, iOS, and iPadOS, and is used by all browsers on iPhone and iPad.