CVE-2025-43529

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

Enforce Patches: Immediately set your mobile security policy to enforce the minimum patched operating system versions iOS/iPadOS 26.2 or 18.7.3 across your entire Apple mobile fleet.
Set Policy: Set the default OS Out of Date policy in your management console to require the fixed versions released by Apple to address this Use-After-Free flaw.
Limit Access: Choose to immediately warn or block non-compliant devices from accessing work applications and data until the OS is updated. If your risk policies allow for a grace period, it should be very short and escalate in severity and limitation to the user.
Integrate Data: Security teams should leverage mobile EDR to integrate mobile device and app vulnerability data into their SIEM, SOAR, or XDR solution to monitor for potential exploitation attempts by sophisticated threat actors.

Overview

CISA has listed an actively exploited zero-day vulnerability, CVE-2025-43529, in Apple's WebKit browser engine; the open-source web browser engine used in Safari and all third-party browsers on iOS/iPadOS. This flaw poses an extremely high risk and has been leveraged in sophisticated, highly targeted attacks.

CVE-2025-43529 is an Use-After-Free (UAF) issue and occurs when a program uses a memory address after the memory has been released or reallocated. It can be exploited using maliciously crafted web content to execute arbitrary code. This has been addressed with improved memory management.

Apple is aware of reports that this issue may have been exploited in "an extremely sophisticated attack against specific targeted individuals" on versions of iOS before iOS 26. Apple announced patches with the release of iOS and iPadOS 26.2, iOS and iPadOS 18.7.3, macOS Tahoe 26.2, Safari 26.2 for macOS, tvOS 26.2, watchOS 26.2, and visionOS 26.2.

CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) Catalog. Federal Civilian Executive Branch (FCEB) agencies are required to remediate CVE-2025-43529 by January 5, 2026. While CISA’s requirement is only for the U.S. government, enterprise organizations should use their guidance as a benchmark and devise an update plan of their own with a deadline for employees to update to the latest versions of Apple’s operating systems.

Lookout Analysis

The critical nature of this flaw is significant, as a successful exploit can achieve arbitrary code execution, which is often used to install sophisticated spyware. The exploitation of this WebKit zero-days can occur through the following steps:

Preparation: A threat actor crafts a malicious webpage or web content specifically designed to exploit the memory handling flaws in WebKit.
Delivery: The attacker directs the target device to process the malicious web content. This can happen through various means, such as:
1. Luring the user to visit a malicious website or compromised legitimate site.
2. Delivering the content via a link in a message, email, or embedded web view within a third-party application.
Exploitation: When the target device's WebKit engine processes the malicious content, the underlying memory corruption or use-after-free issue is triggered. This allows the attacker to execute their own code inside the browser sandbox. This processing triggers the exploit, which then allows the attacker to install spyware onto the device.
Impact: The exploit, potentially chained with others, can be used to bypass platform protections and install powerful surveillance tools or spyware. The spyware can then collect sensitive information like messages, location data, and access the device's camera and microphone.