Overview
- Apple says mercenary spyware has exploited WebKit flaws in highly targeted campaigns, with one bug allowing arbitrary code execution tracked as CVE-2025-14174.
- Emergency fixes landed in December, but devices capable of the new release must move to iOS 26—backports are only available for models that cannot run it.
- Adoption remains uncertain, with estimates ranging from under 20% to about 60% on iOS 26, leaving a large and unclear number of iPhones potentially unpatched.
- Security guidance prioritizes updating to iOS 26.2 where supported, restarting devices to flush memory-resident malware, and enabling Lockdown Mode for likely targets.
- Experts warn that reboots do not remove persistent spyware, reinforcing that installing the latest software is the only reliable remediation for these exploits.