"According to this iOS and iPadOS security document, both flaws stem from two WebKit bugs that allow attackers to execute malicious code in Safari, thereby gaining further access to the device. The exploitation process works as follows: An attacker hides malicious code in a compromised webpage. When the page loads, WebKit mishandles memory. The flaw allows malicious code to run in the browser. A second bug enables deeper access, exposing device data."
"The vulnerability, known as a zero-click flaw, requires no user action to execute. With both flaws present, a breach can happen simply by visiting a website. Hacker News reported that before Apple discovered and patched them, these were zero-day vulnerabilities running in the wild. The fix is available in iOS 26.2, making most older iPhones and iPads ineligible. Must-read security coverage"
Two critical WebKit vulnerabilities (CVE-2025-43529 and CVE-2025-14174) enable attackers to execute malicious code in Safari and gain full device access, including passwords and financial data. Exploitation involves hiding malicious code in a compromised webpage, WebKit mishandling memory when the page loads, code executing in the browser, and a second bug enabling deeper access that exposes device data. The flaw is zero-click and requires no user action; visiting a website can trigger a breach. Fixes are available in iOS 26.2, and Apple issued iOS 18.7.3 and iPadOS 18.7.3 for some older models. Users should upgrade supported devices including iPhone 11 and later, iPad Pro 12.9-inch (3rd gen and later), iPad Pro 11-inch (1st gen and later), iPad Air (3rd gen and later), iPad (8th gen and later), and iPad mini (5th gen and later). Research indicates attackers are targeting specific individuals, possibly political and public figures.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]