CISA issued an urgent warning about a critical Apple WebKit zero-day vulnerability actively exploited in attacks. The cybersecurity agency added CVE-2025-43529 to its known exploited vulnerabilities catalog on December 16, setting a January 5, 2026 deadline for federal agencies to patch.
Apple released emergency security updates on December 12 addressing two WebKit vulnerabilities exploited in sophisticated attacks. According to Apple's support documentation, the company described the incidents as "extremely sophisticated" attacks against specific individuals using iOS versions before iOS 26.
CVE-2025-43529 is a use-after-free vulnerability in WebKit's memory management layer. Attackers can trigger arbitrary code execution through maliciously crafted web content without user interaction. The flaw affects iOS, iPadOS, macOS, and other Apple platforms using WebKit for HTML rendering.
Google simultaneously patched a related Chrome vulnerability sharing the same CVE-2025-14174 identifier. Both companies collaborated through their security teams, with Google's Threat Analysis Group and Apple's Security Engineering and Architecture team jointly discovering the memory corruption issue.
The WebKit engine powers Safari and underpins web browsing across Apple's entire ecosystem. This includes iPhone, iPad, Mac, Apple Watch, Apple TV, and visionOS devices. Third-party applications using WebKit for HTML rendering also face potential exposure.
Apple deployed patches via iOS 26.2, iPadOS 26.2, iOS 18.7.3, iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. The company confirmed the vulnerabilities were addressed in security updates for these versions.
Security experts warn that zero-day vulnerabilities like these represent high-risk threats often associated with state-sponsored groups or commercial surveillance tools. Once weaponized, such exploits can spread rapidly among threat actors as technical details become public.
CISA's Binding Operational Directive 22-01 requires federal agencies and contractors to patch known exploited vulnerabilities within specified timeframes. The January 5 deadline applies specifically to CVE-2025-43529, though all organizations face immediate risks.
Apple advises users to update devices immediately through Settings > General > Software Update. The company recommends that users not solely rely on automatic updates in the initial days after patch release and suggests manually checking for updates.
Google similarly urged Chrome users to restart browsers after updating to ensure fixes apply completely. Background updates alone may not provide full protection without a restart, according to the company's guidance.
Security researchers emphasize that patches create a race condition between defenders and attackers. Vendors limit technical details to prevent reverse engineering while ensuring customers secure systems before exploits become widely available.
The coordinated response between Apple and Google reflects growing industry collaboration on shared security threats. Cross-vendor cooperation helps shorten exploitation windows and prevents fragmented protection across platforms.
Organizations should inventory all systems using WebKit-based browsers and applications. Where immediate patching isn't feasible, administrators can restrict web browsing to trusted sites and implement network-based content filtering.
High-value targets including journalists, government officials, corporate executives, activists, and cybersecurity researchers face elevated risks from sophisticated zero-day attacks. However, all users become vulnerable once exploits become public knowledge.
Apple's notification practice for targeted spyware attacks, established in 2021, continues alongside these security updates. The company previously issued similar warnings in September regarding CVE-2025-43300 in its ImageIO framework.
Cybersecurity professionals recommend enabling automatic security updates across all Apple devices. Additional protective measures include using reputable security software, avoiding untrusted websites, and limiting browser extensions to necessary, well-maintained options.
The emergence of multiple zero-day vulnerabilities in rapid succession underscores the ongoing arms race between software developers and attackers. As systems grow more complex, hidden flaws provide increasing opportunities for exploitation.
Technology companies continue investing in security research, bug bounty programs, and automated testing tools to identify vulnerabilities before attackers. However, experts acknowledge no system can ever be completely free of flaws.
For users, keeping devices and applications updated remains one of the most effective defenses against advanced cyber threats. While zero-day attacks may be unavoidable, their impact can be significantly reduced through vigilance and timely action.
