Apple Confirms Attacks—All iPhone Users Must Update Now - Forbes
December 13, 2025 at 3:25 PM
Apple confirms targeted iPhone attacks—update to iOS 26.2 now
Apple has disclosed two linked WebKit zero-day vulnerabilities (CVE-2025-14174 and CVE-2025-43529) that were used in highly targeted attacks against users on pre–iOS 26 devices. The fixes ship in iOS 26.2, available today. While older versions (like iOS 18) still receive patches, Apple’s guidance and the current threat level make upgrading to iOS 26 the safer choice.
Why this matters:
- The WebKit bugs enable code execution and memory corruption and were likely chained as part of a spyware-style attack.
- iOS 26.2 addresses eight WebKit issues overall, plus fixes for problems that could expose Messages data or reveal password fields during FaceTime remote sessions.
- Additional high-impact patches include a kernel privilege-escalation flaw (CVE-2025-46285) and an App Store issue (CVE-2025-46288) that could have exposed payment tokens.
Who is affected:
- All iPhone users—especially anyone running versions prior to iOS 26. Although attacks appear narrowly targeted, exploits often proliferate once patches are public.
Why WebKit is a prime target:
- Every iOS browser and many apps rely on WebKit, making it a single point of failure. Since 2023, attackers have exploited at least 17 WebKit zero-days in the wild.
What to do now:
- Update to iOS 26.2 immediately on all Apple devices.
- Consider enabling iCloud Private Relay, using Private Browsing, and temporarily disabling JavaScript on untrusted sites to reduce exposure.
- Don’t delay: once details are public, the window for attackers widens, and there’s no meaningful workaround beyond installing the update.
The broader picture:
- Android faced similar in-the-wild exploits earlier this month and pushed emergency fixes. A U.S. cyber advisory for iOS users is likely to follow.
Bottom line: Install iOS 26.2 now. It’s the most effective defense against these active exploits and related risks.
Back…