Apple has released emergency security updates to address CVE-2025-14174, a zero-day vulnerability in WebKit that has been actively exploited in the wild as part of a highly targeted and “extremely sophisticated” attack campaign. The vulnerability can be triggered by maliciously crafted web content, requiring no user interaction beyond visiting a webpage.
The flaw affects iOS, iPadOS, macOS, and Safari, and exploitation was confirmed on unpatched iOS devices running versions prior to iOS 26. Apple has not disclosed full technical details, but confirmed real-world exploitation against specific individuals.
Vulnerability Details
CVE-2025-14174 is a memory corruption vulnerability in Apple’s WebKit browser engine that occurs during the processing of specially crafted web content. Successful exploitation allows an attacker to corrupt browser memory, potentially enabling arbitrary code execution within the WebKit process.
While memory corruption flaws are often used as part of a broader exploit chain, Apple confirmed that this vulnerability was directly exploited in real-world attacks, indicating it was reliable enough for operational use by advanced threat actors.
This vulnerability was addressed through coordinated disclosure between Apple and Google, as the same underlying issue also affected Chromium’s ANGLE graphics component on macOS, explaining cross-vendor patch coordination.
Exploitation Status
Apple has confirmed that CVE-2025-14174 was actively exploited in the wild and described the attacks as “extremely sophisticated.” The wording and lack of public indicators strongly suggest targeted intrusion activity, potentially including espionage or spyware-style operations, rather than mass exploitation. CVE-2025-14174 has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming verified exploitation activity.
Exploitation was observed on unpatched iOS devices prior to iOS 26, and while Apple has not released indicators of compromise (IOCs), the vulnerability’s characteristics align with browser-based initial access techniques commonly used by advanced threat actors.
Affected Platforms
Apple has released fixes for CVE-2025-14174 across the following platforms:
- iOS / iPadOS 26.2
- iOS / iPadOS 18.7.3
- macOS Tahoe 26.2
- Safari 26.2
- tvOS 26.2
- watchOS 26.2
- visionOS 26.2
Affected devices include iPhone 11 and later and multiple generations of iPad models.
Remediation & Mitigation
It is recommended to apply Apple security updates immediately across all supported devices and operating systems.
Prioritize patching for:
- Executive and high-risk users
- Devices used for sensitive communications
- Internet-facing macOS systems
- Mobile devices with access to corporate email, messaging, or VPNs
Additionally, organizations should consider enforcing minimum OS and browser versions via MDM or device compliance policies where possible.
It is best to assume potential exposure for any unpatched device and ensure updates are applied without delay.
Stay Safe. Stay Secure.
OP Innovate Research Team
