What happened
Apple has warned iPhone and iPad users about critical security vulnerabilities in WebKit, the browser engine that powers Safari and all iOS browsers. These zero‑day flaws (CVE‑2025‑43529 and CVE‑2025‑14174) could allow an attacker to execute arbitrary code or corrupt device memory simply by rendering malicious web content. Apple released security updates in iOS 26.2 and iPadOS 26.2 to address these issues, which have been actively exploited in the wild, and urged users to update without delay.
Who is affected
The vulnerabilities impact a broad set of Apple devices running WebKit, including iPhones from the iPhone 11 onward and a range of iPads (e.g., iPad Air 3rd gen+, iPad mini 5th gen+). macOS and other Apple platforms that use WebKit are also affected until patched. Users with automatic updates disabled remain at risk.
Why CISOs should care
Zero‑day exploits that require no user interaction beyond visiting a web page are extremely dangerous in enterprise environments. Compromised devices could lead to lateral movement, data exfiltration, or credential theft within corporate networks. High‑profile attacks against iOS devices often target executives, journalists, and security professionals, illustrating that sophisticated threat actors can exploit mobile platforms as part of broader intrusion campaigns.
3 practical actions for security teams
- Enforce patch compliance: Verify all managed iOS/iPadOS devices are updated to iOS 26.2 / iPadOS 26.2 or later immediately and ensure automatic updates are enabled where possible.
- Update threat intel and EDR policies: Incorporate the CVE‑2025‑43529 and CVE‑2025‑14174 indicators into mobile threat detection, and tune mobile EDR/XDR tools to flag suspicious WebKit exploit attempts.
- Harden mobile security posture: Promote use of strong passcodes, biometric locks, and corporate MDM controls; restrict installation of unvetted profiles or enterprise apps; and educate users about risks of visiting untrusted web content.