Apple Patches Two Zero-Day WebKit Vulnerabilities in iOS 26, Urging Immediate Updates
On December 12, 2025, Apple released critical security patches for two actively exploited WebKit zero-day vulnerabilities, targeting iPhone 11 and newer devices. The flaws, linked to mercenary spyware, allowed attackers to execute arbitrary code via malicious web content posing risks even to users who avoid high-risk behavior.
WebKit, the engine behind Safari and many iOS apps, represents a broad attack surface. Apple confirmed the vulnerabilities were already being exploited in the wild, primarily in highly targeted campaigns against diplomats, journalists, and executives. However, such exploits often spread beyond initial targets as tooling leaks or gets repurposed.
The fixes are only available in iOS 26+, which includes new memory protections like Memory Integrity Enforcement. Despite this, adoption of iOS 26 has been slow only 4.6% of active iPhones run iOS 26.2 as of January 2026, with just 16% on any iOS 26 version. Older, unsupported devices will not receive these protections.
Upgrading to iOS 26.2 also forces a device restart, which flushes memory-resident malware a common tactic used by advanced spyware to avoid persistence. Apple’s update process ensures users both patch vulnerabilities and clear potential infections in one step.
The vulnerabilities also heighten risks for Apple Mail users, as malicious HTML-formatted emails could trigger exploitation. While Apple’s Lockdown Mode offers additional protection for high-value targets, the primary defense remains updating to the latest iOS version.
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "APP1768336376",
"linkid": "apple",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Primarily high-value targets '
'(diplomats, journalists, '
'executives), but potentially '
'all iOS 26- users',
'industry': 'Technology, Media, Government, Journalism',
'location': 'Global',
'name': 'Apple iOS/iPadOS Users',
'size': 'Millions of users',
'type': 'Consumer/Enterprise'}],
'attack_vector': 'Malicious web content (WebKit-based)',
'customer_advisories': 'Users were notified via in-app Software Update '
'prompts and public advisories to upgrade to iOS 26.2+ '
'and restart devices regularly.',
'data_breach': {'data_exfiltration': 'Possible (spyware capabilities)',
'personally_identifiable_information': 'Possible (if '
'targeted)',
'sensitivity_of_data': 'High (if exploited for surveillance)',
'type_of_data_compromised': 'Potential arbitrary code '
'execution (device access)'},
'date_detected': '2025-12-12',
'date_publicly_disclosed': '2025-12-12',
'date_resolved': '2025-12-12',
'description': 'On December 12, 2025, Apple patched two WebKit zero-day '
'vulnerabilities linked to mercenary spyware. These '
'vulnerabilities allowed attackers to execute arbitrary code '
'on a device via malicious web content. The vulnerabilities '
'were exploited in highly targeted attacks, primarily against '
'diplomats, journalists, or executives, but are likely to '
'expand over time. Apple confirmed active exploitation in the '
'wild and urged users to update to iOS 26+ for critical fixes '
'and memory protections.',
'impact': {'brand_reputation_impact': "Moderate (Apple's security response "
'under scrutiny)',
'data_compromised': 'Potential arbitrary code execution leading to '
'data exposure',
'identity_theft_risk': 'High (if exploited for surveillance)',
'operational_impact': 'Potential device compromise, unauthorized '
'access',
'systems_affected': 'iPhones (iPhone 11 and newer), iPads, and '
'other iOS/iPadOS devices running vulnerable '
'WebKit versions'},
'initial_access_broker': {'entry_point': 'WebKit vulnerabilities (malicious '
'web content)',
'high_value_targets': ['Diplomats',
'Journalists',
'Executives']},
'investigation_status': 'Resolved (patches released)',
'lessons_learned': '1) Zero-day vulnerabilities in WebKit pose significant '
'risks due to its widespread use in iOS apps. 2) '
'High-value targets (e.g., diplomats, journalists) are '
'often the first victims but exploits may later spread. 3) '
'Regular device restarts can mitigate memory-resident '
'malware. 4) Slow iOS adoption leaves users vulnerable to '
'accumulating security risks.',
'motivation': 'Espionage, targeted surveillance',
'post_incident_analysis': {'corrective_actions': 'Apple released iOS 26.2 '
'with patches and Memory '
'Integrity Enforcement. '
'Users were advised to '
'upgrade and restart devices '
'regularly.',
'root_causes': 'Unpatched WebKit zero-day '
'vulnerabilities exploited by '
'mercenary spyware groups. Slow iOS '
'26 adoption left users vulnerable '
'to accumulating risks.'},
'recommendations': ['Upgrade to iOS 26.2+ immediately to receive critical '
'security fixes.',
'Restart devices weekly to flush memory-resident malware '
'(per NSA recommendation).',
'Avoid opening unsolicited links/attachments without '
'verification.',
'Enable Automatic Updates in iOS settings.',
'Use Apple’s Lockdown Mode for high-risk users.',
'Install Malwarebytes for iOS for additional security '
'alerts.',
'Be cautious of HTML-formatted emails in Apple Mail '
'(potential attack vector).'],
'references': [{'date_accessed': '2025-12-12',
'source': 'Apple Security Advisory'},
{'source': 'Malwarebytes Blog'}],
'response': {'communication_strategy': 'Public advisory, in-app Software '
'Update notifications',
'containment_measures': 'Patch release (iOS 26.2), Memory '
'Integrity Enforcement',
'enhanced_monitoring': 'Malwarebytes for iOS (Trusted Advisor '
'alerts)',
'incident_response_plan_activated': 'Yes (Apple security update '
'release)',
'recovery_measures': 'Automatic Updates, Lockdown Mode for '
'high-risk users',
'remediation_measures': 'Upgrade to iOS 26.2+, restart devices '
'to flush memory-resident malware'},
'stakeholder_advisories': 'Apple urged all users to update to iOS 26.2+ for '
'critical fixes and memory protections. High-risk '
'individuals (e.g., diplomats, journalists) were '
'advised to enable Lockdown Mode.',
'threat_actor': 'Mercenary spyware groups',
'title': 'Apple WebKit Zero-Day Vulnerabilities Exploited in Targeted Spyware '
'Attacks',
'type': 'Zero-Day Exploit',
'vulnerability_exploited': ['CVE-2025-XXXX (WebKit Zero-Day 1)',
'CVE-2025-XXXX (WebKit Zero-Day 2)']}