Apple has released coordinated security updates across iOS, iPadOS, macOS, Safari, and other platforms to address two WebKit vulnerabilities that have been actively exploited in the wild. One of the flaws mirrors a zero-day patched by Google in Chrome earlier this week, underscoring a shared risk across modern browser engines. Apple warns the issues were likely leveraged in highly targeted attacks against specific individuals.

WebKit is Apple’s core browser engine and a foundational component across its ecosystem. Unlike desktop platforms, all browsers on iOS and iPadOS — including Chrome, Firefox, and Edge — are required to use WebKit under the hood. As a result, a single WebKit flaw can expose a wide range of Apple devices simultaneously.

On Friday, Apple disclosed and patched two security vulnerabilities that it confirmed were exploited in real-world attacks. The company stated the flaws may have been used in “extremely sophisticated” campaigns targeting select individuals running older versions of iOS.

One of the vulnerabilities had already been addressed by Google in Chrome earlier in the week, suggesting active cross-platform exploitation before public disclosure.

The vulnerabilities addressed are:

Both issues affect WebKit’s handling of crafted web content, meaning an attacker could exploit them simply by luring a victim to a malicious webpage.

The flaws were identified by Apple Security Engineering and Architecture (SEAR) and Google’s Threat Analysis Group (TAG), a unit that frequently investigates state-sponsored and mercenary spyware operations.

Because WebKit underpins all browsers on iOS and iPadOS, exploitation could bypass browser choice entirely. Successful attacks may allow remote code execution within the browser context, often a stepping stone toward deeper system compromise when chained with additional vulnerabilities.

Apple confirmed the vulnerabilities were exploited prior to patching, marking them as true zero-days.

This incident highlights the strategic value of browser engine vulnerabilities for advanced attackers. Web-based exploits offer a low-friction attack vector that requires no user interaction beyond visiting a webpage, making them ideal for surveillance and espionage operations.

The shared nature of WebKit across Apple’s platforms amplifies the risk and reinforces the need for rapid patch adoption.

Apple’s attribution to Google TAG strongly suggests the vulnerabilities were discovered during investigations into targeted exploitation, not routine bug hunting. Historically, TAG involvement has correlated with nation-state or commercial spyware campaigns rather than opportunistic cybercrime.