Zero-day vulnerabilities continue to pose increasing risks, enabling attackers to weaponize undisclosed weaknesses ahead of defensive fixes. Following a disclosure of a critical zero-day in Gladinet’s Triofox (CVE-2025-12480), a new zero-day vulnerability is already being exploited in the wild, underscoring the narrow window defenders have to act. Apple has confirmed that a newly discovered WebKit zero-day vulnerability, known as CVE-2025-14174, alongside CVE-2025-43529, has been actively exploited in highly targeted attacks. CVE-2025-14174 and CVE-2025-43529 affect all Apple devices capable of rendering web content, including Safari and every browser on iOS and iPadOS, leaving any unpatched system exposed to compromise.
WebKit, the cross-platform browser engine behind Safari and numerous applications on macOS, iOS, Linux, and Windows, continues to be a high-value target for attackers, particularly because it is mandatory for all browsers on iOS and iPadOS. For instance, in the early spring of 2025, a zero-day flaw tracked as CVE-2025-24201 was discovered in WebKit weaponized via maliciously crafted web content to break out of the Web Content sandbox.
With the latest fixes, Apple has now addressed nine zero-day vulnerabilities exploited in the wild in 2025. This reflects a clear trend that attackers are heavily investing in browser engines and rendering pipelines to bypass sandboxing and silently compromise critical targets.
Register for SOC Prime’s AI-Native Detection Intelligence Platform for SOC teams backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.
Detections from the dedicated rule set can be applied across 40+ SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.
CVE-2025-14174 Analysis
On December 12, Apple issued out-of-band security patches across its ecosystem after confirming that two WebKit zero-day vulnerabilities are under active exploitation in the wild. The weaponized security issues are CVE-2025-43529, a use-after-free vulnerability in WebKit that could allow attackers to achieve arbitrary code execution, and CVE-2025-14174 (with a CVSS of 8.8), a WebKit zero-day that may result in memory corruption when handling maliciously crafted web pages. Both flaws can be exploited through specially crafted web content, requiring no app installation or user interaction beyond visiting a malicious page
Apple confirmed it is aware that the flaws may have been exploited in an extremely sophisticated attack against specific targeted individuals running iOS versions prior to iOS 26.
Notably, CVE-2025-14174 is the same vulnerability Google patched in Chrome on December 10, 2025. Google described it as an out-of-bounds memory access issue in ANGLE, its open-source graphics library, specifically within the Metal renderer. Because ANGLE is shared across platforms, this points to cross-browser exploitation rather than an isolated bug.
Both vulnerabilities were identified through collaboration between Apple Security Engineering and Architecture and Google Threat Analysis Group. The fact that both flaws affect WebKit strongly suggests they were weaponized for highly targeted surveillance campaigns. Any device capable of rendering WebKit content, including iPhone 11 and later, supported iPads, Apple Watch Series 6+, Apple TV, and Vision Pro, was within scope.
Apple released fixes across almost its entire ecosystem, including iOS and iPadOS (26.2 and 18.7.3), macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2 for macOS Sonoma and Sequoia.
As potential CVE-2025-43529 and CVE-2025-14174 mitigation measures, Organizations should enforce immediate OS and browser updates across all Apple devices, verify MDM compliance to prevent patch deferral, and treat any delay in applying updates as a real security exposure. Defenders should assume modern web-based exploits can bypass app-level controls, actively monitor for anomalous browser or network behavior following patch deployment, and, for high-risk users, recognize that patch latency directly expands the attack surface.
WebKit zero-days underscore a critical reality: today’s most dangerous attacks often begin in the browser. The combination of stealthy exploitation, zero user interaction, and the potential for complete device takeover makes these vulnerabilities especially dangerous and demands rapid, decisive action from defenders. Rely on SOC Prime Platform to reach the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and always stay ahead of emerging threats.
The post CVE-2025-14174 Vulnerability: A New Memory Corruption Zero-Day Vulnerability in Apple WebKit Exploited in Targeted Attacks appeared first on SOC Prime.
