Apple Tells 1.8 Billion iPhone Users to Update Now Over ‘Extremely Sophisticated Attack’

Apple urgently warned 1.8 billion iPhone and iPad users of two zero-day vulnerabilities under active exploitation in sophisticated attacks, prompting the release of iOS 26.2 to secure WebKit, the engine behind Safari and other iOS browsers.

Zero-Day Vulnerabilities Explained

These flaws, CVE-2025-43529 and CVE-2025-14174, were identified by Apple Security Engineering and Google’s Threat Analysis Group. CVE-2025-43529 carries a severity score of 9.8 out of 10, while CVE-2025-14174 scores 8.8. Both permit arbitrary code execution via malicious websites, exploiting devices without user interaction in zero-click attacks.

Targeted Attack Campaign Detected

Apple reported exploitation limited to specific individuals, aligning with patterns from mercenary spyware like NSO Group’s Pegasus and Intellexa’s Predator. These tools, marketed to governments, target journalists, activists, politicians, and human rights defenders in over 150 countries. Intellexa alone has leveraged at least 15 unique zero-days against mobile browsers.

Affected Devices and Updates

iOS 26.2 patches these issues on iPhone 11 and later models, plus recent iPad Pro, Air, and mini variants. Parallel updates cover macOS Tahoe 26.2, watchOS 26.2, and Safari 26.2. Older iOS versions no longer receive updates beyond this release, funneling compatible devices to iOS 26.2. The package fixes 26 vulnerabilities total, including kernel flaw CVE-2025-43462, which could grant root privileges for bypassing app protections, stealing credentials, and hijacking sessions.

Apple’s Background Security Improvements, launched in iOS 26.1, deploys silent patches for Safari, WebKit, and libraries during charging and Wi-Fi connections, succeeding the less-adopted Rapid Security Response system.

Defenses and Detection Tools

Since 2021, Apple has notified users in over 150 countries of spyware threats, with December 2025 alerts reaching at least 80 nations via appleid.apple.com, email, and iMessage. Lockdown Mode, available since 2022, offers robust protection by restricting attachments, JavaScript, unknown calls, and wired links when locked; Apple reports no successful infections on enabled devices.

Third-party tools aid detection: iVerify began scanning devices in May 2024 and has analyzed over 2,500 devices, uncovering seven Pegasus cases among journalists, activists, executives, and officials. Amnesty International’s Mobile Verification Toolkit analyzes devices against spyware indicators.

Broader Threat Landscape

iOS 26.2 marks the seventh and eighth zero-days patched by Apple in 2025, amid a booming market where iOS exploit chains fetch millions. The U.S. Cybersecurity and Infrastructure Security Agency listed CVE-2025-43529 in its Known Exploited Vulnerabilities Catalog, requiring federal patches by January 5, 2026. Sanctions hit NSO in 2021 and Intellexa in March 2024, yet firms persist via shell companies. A May 2025 California ruling fined NSO $168 million for WhatsApp hacks affecting 1,400 users; Apple also sued NSO over global targeting.

Users must update immediately via Settings > General > Software Update, enable auto-updates, and activate Background Security Improvements under Privacy & Security. High-risk groups should use Lockdown Mode and tools like iVerify.

Persistent zero-day exploitation underscores an enduring surveillance risk from mercenary vendors and states. While updates and tools mitigate threats, global cooperation on regulation and accountability will determine long-term user safeguards in a hyper-connected era.