Google and Apple have expanded their emergency security responses this week after uncovering a coordinated hacking campaign that relied on previously unknown software vulnerabilities, commonly referred to as zero-day exploits. Both companies have now confirmed that the flaws were actively abused before patches were available, reinforcing concerns that the attacks were carried out by a highly capable actor rather than opportunistic criminals.
Apple’s updates add important technical detail to what the company has described as an “extremely sophisticated attack against specific targeted individuals.” According to its security bulletins, the vulnerabilities were exploited on devices running versions of iOS prior to iOS 26. Apple does not use this language lightly, and it has historically been associated with real-world surveillance operations rather than broad consumer malware campaigns.
One of the vulnerabilities, tracked as CVE-2025-43529, affects WebKit, the browser engine that underpins Safari as well as Mail, the App Store, and numerous third-party applications across iOS, macOS, and Linux. The flaw allows remote code execution through maliciously crafted web content, meaning a victim could be compromised simply by viewing a booby-trapped page. Apple credits the discovery of this issue to Google’s Threat Analysis Group, a unit that focuses on state-backed hacking operations and commercial spyware vendors.
The second vulnerability, CVE-2025-14174, is also tied to WebKit and could lead to memory corruption if exploited. Apple says this flaw was uncovered through a joint effort between its own security teams and Google’s Threat Analysis Group, underscoring the level of cooperation prompted by the seriousness of the campaign.
Apple has confirmed that affected hardware includes iPhone models from the iPhone 11 onward, along with a wide range of iPads, including iPad Pro, iPad Air, standard iPad, and iPad mini models released over the past several years. The company has issued fixes across its software ecosystem, including iOS 26.2, iPadOS 26.2, iOS 18.7.3, iPadOS 18.7.3, macOS Tahoe 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, and Safari 26.2.
Google’s response appears closely linked. Earlier in the week, the company released Chrome updates addressing several vulnerabilities, one of which it acknowledged was already under active exploitation. While initial disclosures were sparse, Google later updated its advisory to note that the issue had been identified by Apple’s security engineering team alongside Google’s Threat Analysis Group. That attribution is unusual and suggests the same threat actor may have been targeting multiple platforms using tailored exploits.
Zero-day attacks remain among the most dangerous tools in modern cyber operations because they give defenders little warning and are often deployed selectively against journalists, political figures, activists, and others of strategic interest. Neither Apple nor Google has disclosed who was targeted or how many users were affected, citing the ongoing nature of their investigations.
Taken together, the parallel emergency patches and shared attribution point to a coordinated and well-resourced adversary capable of operating across competing ecosystems. For users, the episode reinforces the importance of installing security updates promptly. For the industry, it highlights how the most advanced digital threats increasingly blur platform boundaries, forcing rivals to collaborate when exploits are already being used in the wild.
