The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical zero-day vulnerability in Apple WebKit, which is currently being actively exploited in cyberattacks. The vulnerability, identified as CVE-2025-43529, has been added to CISA’s catalog of known exploited vulnerabilities with a deadline set for January 5, 2026, by which federal agencies must apply the necessary patches.
Apple responded by releasing emergency security updates on December 12 to address two WebKit vulnerabilities. These updates aim to protect against highly sophisticated attacks targeting specific individuals using iOS versions prior to iOS 26. The vulnerability involves a use-after-free issue in WebKit’s memory management, allowing attackers to execute arbitrary code through malicious web content without user interaction. This flaw affects various Apple platforms, including iOS, iPadOS, macOS, and others that utilize WebKit for HTML rendering.
In a coordinated effort, Google also patched a related Chrome vulnerability sharing the CVE-2025-14174 identifier. The vulnerability was jointly discovered by Google’s Threat Analysis Group and Apple’s Security Engineering and Architecture team.
WebKit, the engine behind Safari, is integral to web browsing across Apple’s ecosystem, impacting devices such as iPhones, iPads, Macs, Apple Watches, Apple TVs, and visionOS devices. Third-party applications using WebKit for HTML rendering are also at risk.
Apple has rolled out patches through updates for iOS 26.2, iPadOS 26.2, iOS 18.7.3, iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2, confirming the vulnerabilities have been addressed.
Security experts caution that zero-day vulnerabilities pose significant risks, often linked to state-sponsored groups or commercial surveillance tools. Once weaponized, these exploits can quickly proliferate among threat actors as technical details become available.
CISA’s Binding Operational Directive 22-01 mandates that federal agencies and contractors patch known exploited vulnerabilities within set timeframes, with the January 5 deadline specifically targeting CVE-2025-43529. All organizations are urged to address these immediate risks.
Apple advises users to promptly update their devices through Settings > General > Software Update and recommends manually checking for updates rather than relying solely on automatic updates in the initial days following a patch release.
