Google and Apple issued emergency updates to address zero-day flaws exploited in attacks targeting an unknown number of users.
Apple and Google have both pushed out urgent security updates after uncovering a highly targeted attacks against an unknown number of users. The attacks abused zero‑day vulnerabilities in their software. The campaign appears to involve nation-state actors and commercial spyware vendors, with a focus on specific high‑value individuals rather than mass exploitation.
This week, Google patched several Chrome bugs, including one actively exploited in the wild. The flaw, found by Apple and Google researchers.
At first, Google didn’t share technical details because the investigation was ongoing. Later, they said the bug was found by both Apple’s security team and Google’s Threat Analysis Group, which tracks state-sponsored actors, and commercial spyware vendors. This indicates the flaw was likely used in a targeted espionage campaign, not just random cybercrime.
Apple released updates for iPhones, iPads, Macs, and more, fixing two WebKit flaws (CVE-2025-14174, CVE-2025-43529) likely exploited in targeted iOS 26 attacks.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” states the advisory.
Apple and Google did not provide further information on the attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
