CVE-2025-43529: Apple Zero-Day Under Active Attack

CVE ID: CVE-2025-43529

Severity: HIGH | CVSS: 8.8

Sources: 2 different security sources

Let Me Explain What Happened

Apple has just patched a serious security flaw that attackers have already been using in the wild against specific targeted individuals. This vulnerability, tracked as CVE-2025-43529, is what we call a "zero-day"—meaning the bad actors found it and exploited it before Apple could fix it. The flaw affects a wide range of Apple devices, from iPhones and iPads to Macs, Apple Watches, Apple TVs, and even the Safari web browser. What makes this particularly concerning is that Apple has confirmed this vulnerability was exploited in what they describe as "an extremely sophisticated attack" against specific targeted individuals running older versions of iOS.

Here's what you need to understand: when attackers exploit this flaw, they can potentially take complete control of your device by tricking it into processing specially crafted web content. Think of it like leaving a door unlocked in your device's memory—attackers can walk right through it and run whatever code they want, potentially installing spyware or backdoors without you ever noticing.

A Bit More Detail

This vulnerability is what security researchers call a "use-after-free" issue. Imagine your device's memory as a library where books (data) are constantly being checked out and returned. A use-after-free bug happens when the system tries to read a book that's already been returned and the space has been given to someone else. Attackers can exploit this confusion to slip their own malicious instructions into that space, tricking your device into executing their code instead of legitimate operations.

The National Vulnerability Database has assigned this a CVSS score of 8.8 out of 10, placing it firmly in the "HIGH" severity category. The attack vector is network-based, meaning attackers can reach you over the internet, and it requires user interaction—typically by getting you to visit a malicious website or open specially crafted web content. Once triggered, though, the attacker can achieve complete compromise: reading your data, modifying information, and disrupting your device's availability.

The Technical Specifics

• Attack Vector: NETWORK (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
• Attack Complexity: Low—once the exploit is developed, it's relatively straightforward to deploy
• Privileges Required: None—attackers don't need any special access to your device beforehand
• User Interaction: Required—you need to visit a malicious site or open malicious content
• CWE Classification: CWE-416 (Use After Free)
• Affected Products:
  • iOS versions before 18.7.3 and 26.2
  • iPadOS versions before 18.7.3 and 26.2
  • macOS Tahoe before 26.2
  • Safari before 26.2
  • watchOS before 26.2
  • visionOS before 26.2
  • tvOS before 26.2
• Related CVE: CVE-2025-14174 was also issued in response to the same attack report
• CISA Status: Added to the Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation

Understanding the Timeline

Let me walk you through how this unfolded. The vulnerability was officially published to the National Vulnerability Database on December 17, 2025. However, the real-world exploitation happened before that—this is the hallmark of a zero-day attack. Cyble's vulnerability intelligence researchers tracked this as part of their weekly roundup published on January 28, 2026, noting it among over 1,000 vulnerabilities tracked that week. Malwarebytes Labs provided more detailed coverage on February 12, 2026, emphasizing the active exploitation and the urgent need for users to update their devices.

The fact that CISA added this to their Known Exploited Vulnerabilities catalog tells us something important: this isn't theoretical. Federal agencies consider this a confirmed, active threat that organizations need to address immediately.

What You Should Do About This

I know security updates can sometimes feel disruptive, but this is one of those times where updating really matters. Here's my guidance, broken down into immediate actions and longer-term practices:

• Right Now (Do This Today):
  • Update your iPhone or iPad: Go to Settings → General → Software Update. Install iOS 18.7.3 (or iOS 26.2) or iPadOS 18.7.3 (or iPadOS 26.2) immediately. Apple has improved their memory management to close this security hole.
  • Update your Mac: Click the Apple menu → System Settings → General → Software Update. Install macOS Tahoe 26.2.
  • Update Safari: If you're running Safari separately, update to version 26.2 through Software Update.
  • Update other Apple devices: Don't forget your Apple Watch (watchOS 26.2), Apple TV (tvOS 26.2), and Vision Pro (visionOS 26.2).
  • Be extra cautious with links: Until you've updated, be particularly careful about clicking links in emails, messages, or visiting unfamiliar websites. This vulnerability requires you to process malicious web content, so limiting your exposure reduces risk.
• For the Long Term:
  • Enable automatic updates: On iOS/iPadOS, go to Settings → General → Software Update → Automatic Updates and turn on both "Download iOS Updates" and "Install iOS Updates." This ensures you get critical security patches as soon as Apple releases them.
  • Verify your update: After updating, go back to Settings → General → About and confirm you're running the patched version. For iOS/iPadOS, you should see 18.7.3, 26.2, or higher.
  • Review your security posture: If you're in a high-risk category (journalist, activist, business executive, government employee), consider additional protections like Apple's Lockdown Mode, which restricts certain functionalities to reduce attack surface.
  • Monitor for unusual behavior: While this vulnerability was used in targeted attacks, watch for signs of compromise: unexpected battery drain, unusual network activity, apps you didn't install, or settings changes you didn't make.

For Security Teams and IT Administrators

If you're responsible for managing Apple devices in your organization, here's what I recommend:

• Prioritize deployment: Given the HIGH severity rating and confirmed exploitation, treat this as a critical patch. Use your Mobile Device Management (MDM) solution to push updates to managed devices immediately.
• Inventory your devices: Identify all devices running affected versions. Pay special attention to devices running iOS versions before iOS 26, as Apple specifically noted these were targeted in the sophisticated attacks.
• Network monitoring: While specific IOCs weren't disclosed in the available sources, monitor for unusual outbound connections from Apple devices, particularly to newly registered domains or known malicious infrastructure.
• User awareness: Brief your users on the importance of this update and the social engineering tactics that might be used to deliver the exploit (phishing emails with malicious links, compromised websites, etc.).
• Incident response preparation: If you have devices that were running vulnerable versions and haven't been updated, consider them potentially compromised if users visited untrusted websites. Conduct forensic analysis on high-value targets.

Going Deeper: The Technical Perspective

For those of you who want to understand the underlying mechanics, let's talk about use-after-free vulnerabilities in more detail. These bugs occur in memory management when a program continues to use a pointer after the memory it points to has been freed. In languages like C and C++—which are commonly used in browser engines and operating system components—developers must manually manage memory allocation and deallocation.

The vulnerability exists in WebKit, Apple's browser engine that powers Safari and web content rendering across all Apple platforms. When processing malicious web content, the engine could free a memory object but then attempt to use it again. An attacker who can control what gets written into that freed memory space can redirect program execution to their own code.

From a MITRE ATT&CK framework perspective, this vulnerability enables several techniques:

• T1203 - Exploitation for Client Execution: The primary technique, using the vulnerability to execute arbitrary code when the victim processes malicious web content
• T1189 - Drive-by Compromise: Attackers could host the exploit on compromised or malicious websites, infecting visitors without their knowledge
• T1566 - Phishing: Likely delivery mechanism, sending targeted individuals links to exploit-hosting pages
• T1068 - Exploitation for Privilege Escalation: Once initial code execution is achieved, attackers could chain this with other vulnerabilities for deeper system access

The fact that Apple describes this as an "extremely sophisticated attack" suggests the exploit chain was complex, possibly involving multiple vulnerabilities (note the related CVE-2025-14174) and advanced techniques to bypass Apple's security mitigations like Address Space Layout Randomization (ASLR) and Pointer Authentication Codes (PAC).

Why This Matters Beyond Apple Users

Even if you don't use Apple products, this vulnerability teaches us important lessons about the current threat landscape. First, zero-day vulnerabilities are increasingly being used in targeted attacks against high-value individuals. Second, memory safety issues remain a critical challenge even for well-resourced companies with mature security programs. Third, the rapid weaponization of vulnerabilities means the window between discovery and exploitation is shrinking—making timely patching more critical than ever.

Where I Found This Information

• National Vulnerability Database - CVE-2025-43529 (Authoritative source for CVSS scoring and technical details)
• Apple Security Update - watchOS 26.2
• Apple Security Update - Safari 26.2
• Apple Security Update - iOS 18.7.3 and iPadOS 18.7.3
• Apple Security Update - iOS 26.2 and iPadOS 26.2
• Apple Security Update - macOS Tahoe 26.2
• Apple Security Update - visionOS 26.2
• Apple Security Update - tvOS 26.2
• CISA Known Exploited Vulnerabilities Catalog (Confirms active exploitation)
• Malwarebytes Labs - Apple patches zero-day flaw (Credibility: 8)
• Cyble - The Week in Vulnerabilities (Credibility: 8)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere, though given the active exploitation of this vulnerability, rapid deployment is warranted for most environments.