“Even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker,” wrote Boris Larin of Kaspersky’s GReAT Team; a message all too relevant to Apple’s recent urgent update.
Apple has released urgent security fixes in iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari to mitigate two actively exploited WebKit-zero day vulnerabilities, which exist inside every Apple application. Dubbed CVE‑2025‑43529 and CVE‑2025‑14174, these exploits were seen in highly targeted attacks launched against particular individuals, typical of state-sponsored spyware attacks.
CVE-2025-43529: A use after free vulnerability that occurs when memory that has already been freed is reused, leading to code execution, and was identified by Google’s Threat Analysis Group (TAG), a use after free issue. CVE-2025-14174: A memory corruption issue that was identified by the Apple SEAR team and Google TAG, and now also patched by Google for Chrome, exposing it as an out-of-bounds memory access in the ANGLE graphics library, a cross-browser component that is shared by WebKit and Chrome. This goes further in illustration of its prevalence that Chrome, Edge, Opera, Vivaldi, and all browsers on iOS were affected.
The exploitation chain seems to reflect very sophisticated browser tradecraft. In a high-precision attack, for example, memory corruption can be combined with use-after-free vulnerabilities in such a way that the memory layout can be controlled. In a WebKit environment, with a malicious page, the memory of the browser can be compromised during rendering without needing anything more than a load of the page itself. Indeed, since WebKit underlies embedded web views used in a number of messaging apps and other software, the attack space is well beyond Safari.
As stated in Apple advisories, These vulnerabilities were abused on iOS versions before 26.0, which implies they were zero-days in private possession before now. It is interesting to see Google TAG, which is known to track state-aligned hackers, in light of operations like Operation Triangulation, in which hackers combined multiple zero-day vulnerabilities to install spyware. Even indocumentable GPU coprocessor protections in Apple SoCs were bypassed in this attack, quite interestingly, where Threat actors leveraged unknown Memory‑Mapped I/O (MMIO) regions to bypass kernel memory protection in order to achieve kernel escape.
The current WebKit zero-day incidents represent a wave in mobile exploitation. Past precedents indicate a certain level of sophistication in Android attacks, for instance, in the LANDFALL spyware campaign, where a Samsung image processing zero-day vulnerability was abused for zero-click attacks using malicious DNG files transmitted over the messaging application WhatsApp.
The kind of cross-platform vulnerability found in commonly used components, including ANGLE, is considered particularly valuable to sophisticated actors. As Rapid7’s Douglas McKee said, “Memory safety flaws in shared graphics components are extremely valuable because they’re cross‑platform and often chainable.” It is therefore crucial that disclosure, as has occurred between Apple and Google, occurs in order to seal attack vectors before they are adapted.
For the defense, the implications are clear: browser engine vulnerabilities should be considered a high-risk initial access method. To protect oneself, organizations can enforce swift mobile patching through MDM, monitor for unusual WebKit activity like unexpected application crashes, and implement domain-blocking on the network level. Additionally, for high-risk employees like diplomats or executives, secure device settings and restrictions on unmanaged Web views should be considered.
Apple’s latest patches increase its number of in-the-wild zero-day patches in 2025 to at least nine, showing no slacking in the exploitation tempo. The merging of WebKit and ANGLE bugs, the sophistication of attacks, and historical reminiscences of complex spyware attacks on browser engines and graphics layers point out an uncomfortable reality that mobile platforms are being focused on aggressively, and the most basic elements of these platforms browser engines, graphics layers, and image codecs are fields of activity for APT actors.
