The security threat involves two critical vulnerabilities in WebKit, the browser engine used by Apple’s Safari and all third-party browsers on iOS and iPadOS. The first vulnerability, CVE-2025-43529, is a use-after-free flaw that can lead to arbitrary code execution when processing maliciously crafted web content. This type of vulnerability allows attackers to execute code remotely by exploiting memory management errors, potentially gaining control over the affected device. The second vulnerability, CVE-2025-14174, is a memory corruption issue related to out-of-bounds memory access in the ANGLE library’s Metal renderer, also leading to memory corruption and possible code execution. This flaw was simultaneously patched by Google for Chrome, highlighting its cross-platform impact. Both vulnerabilities have been exploited in the wild in highly sophisticated attacks targeting specific individuals, likely involving mercenary spyware campaigns. The affected platforms include iOS (versions prior to 26.2), iPadOS, macOS (Tahoe and Sonoma/Sequoia), tvOS, watchOS, visionOS, and Safari browser versions. Apple credited Google’s Threat Analysis Group and its own Security Engineering and Architecture team for discovering and reporting these flaws. The exploitation requires no user interaction beyond visiting a malicious web page, increasing the risk of widespread compromise. These zero-day vulnerabilities underscore the criticality of timely patching, especially given their use in targeted espionage operations.

For European organizations, the impact of these WebKit vulnerabilities is substantial due to the widespread adoption of Apple devices in both consumer and enterprise environments. Successful exploitation can lead to arbitrary code execution, enabling attackers to install spyware, steal sensitive data, or gain persistent access to corporate networks. The fact that these vulnerabilities affect all browsers on iOS/iPadOS increases the attack surface, as users may be tricked into visiting malicious websites regardless of their browser choice. Targeted attacks using these flaws could compromise executives, government officials, journalists, and other high-value individuals, leading to espionage, intellectual property theft, or disruption of services. The cross-platform nature of the flaw (also affecting Chrome on Apple devices) further amplifies risk. Additionally, the exploitation of these zero-days in sophisticated spyware campaigns indicates that threat actors are highly motivated and capable, raising the stakes for organizations handling sensitive or regulated data. Failure to patch promptly could result in significant confidentiality breaches and reputational damage.

European organizations should implement a multi-layered mitigation strategy beyond simply applying patches. First and foremost, ensure all Apple devices are updated to the latest OS versions (iOS/iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, Safari 26.2) as soon as possible. Deploy Mobile Device Management (MDM) solutions to enforce update compliance and monitor device health. Restrict access to sensitive corporate resources from personal or unmanaged Apple devices until they are patched. Employ network-level protections such as web filtering and DNS filtering to block access to known malicious domains and URLs that may host exploit payloads. Enhance endpoint detection and response (EDR) capabilities to identify anomalous behaviors indicative of exploitation attempts or spyware installation. Educate users about the risks of visiting untrusted websites and the importance of installing updates promptly. For high-risk users, consider deploying browser isolation technologies or restricting browser capabilities to reduce exposure. Finally, maintain robust incident response plans tailored to spyware and zero-day exploit scenarios to enable rapid containment and remediation.