Apple Warns 1.8 Billion iPhone Users of WebKit Zero-Days Linked to Pegasus Spyware

Apple has issued a stark warning to its nearly 1.8 billion iPhone users about sophisticated hacking threats exploiting zero-day vulnerabilities in WebKit, the browser engine that powers Safari and other iOS applications. The flaws are linked to attacks resembling those conducted using NSO Group's infamous Pegasus spyware.

The Vulnerabilities

Two zero-day vulnerabilities in WebKit enable attackers to execute arbitrary code on affected devices. If successfully exploited, attackers could potentially:

• Steal sensitive data from the device
• Conduct unauthorized surveillance
• Achieve complete device compromise

Apple has confirmed these flaws are being actively exploited in targeted attacks, though the company hasn't disclosed specific victim details or attack scope.

Connection to Pegasus

The attack characteristics mirror previous incidents involving Pegasus, the commercial spyware developed by Israel-based NSO Group. Pegasus has a documented history of being used to target journalists, activists, politicians, and business executives worldwide.

While Apple hasn't explicitly attributed these attacks to Pegasus, the sophistication level and targeting profile align with previous NSO Group operations. Apple Security Engineering and Architecture (SEAR) teams collaborated with Google's Threat Analysis Group to identify and track the exploit chain. This follows another WebKit zero-day (CVE-2025-14174) patched in December that was also linked to targeted spyware attacks.

Who Should Be Concerned

While the average iPhone user is unlikely to be targeted by nation-state-level spyware, certain groups face elevated risk:

• Journalists and media workers, particularly those covering sensitive topics
• Human rights activists and NGO personnel
• Politicians and government officials
• Business executives in sensitive industries
• Lawyers handling high-profile or politically sensitive cases
• Individuals in conflict regions or authoritarian states

If you fall into any of these categories, treat this as an urgent patching priority.

Affected Devices

The vulnerabilities affect all devices running WebKit:

• iPhone 8 and later
• iPad Pro (all models)
• iPad Air 3rd generation and later
• iPad 5th generation and later
• iPad mini 5th generation and later
• Mac computers running macOS Ventura, Sonoma, or Sequoia
• Apple Watch Series 4 and later
• Apple TV HD and Apple TV 4K (all models)

Patch Immediately

Apple has released security updates addressing these vulnerabilities:

• iOS 18.2.1 and iPadOS 18.2.1
• macOS Sequoia 15.2.1
• watchOS 11.2.1
• tvOS 18.2.1
• visionOS 2.2.1

To update your iPhone:

1. Go to Settings > General > Software Update
2. Download and install the available update
3. Restart your device when prompted

Lockdown Mode Consideration

For high-risk individuals, Apple's Lockdown Mode provides additional protection against sophisticated attacks. Lockdown Mode significantly restricts device functionality but hardens the attack surface by:

• Blocking most message attachment types
• Disabling link previews
• Blocking incoming FaceTime calls from unknown contacts
• Preventing wired connections with computers when locked
• Restricting web browsing features

To enable Lockdown Mode: Settings > Privacy & Security > Lockdown Mode

The Spyware Industry Problem

This incident underscores the ongoing challenge of commercial spyware proliferation. Despite sanctions, lawsuits, and international condemnation, companies like NSO Group continue operating, and their tools continue appearing in attacks against civil society.

Apple has invested significantly in spyware detection and protection, including:

• Regular security updates addressing zero-days
• Lockdown Mode for high-risk users
• Threat notifications to targeted individuals
• Lawsuits against spyware vendors

Yet the cat-and-mouse game continues. Spyware vendors are well-funded, patient, and continuously developing new exploit chains.

Detection Is Difficult

One challenge with sophisticated spyware: infection often leaves minimal traces. Traditional antivirus tools typically cannot detect Pegasus-level threats. If you believe you may have been targeted:

1. Update immediately to the latest iOS version
2. Consider professional forensic analysis from organizations like Amnesty Tech or Citizen Lab
3. Enable Lockdown Mode if you're in a high-risk category
4. Report suspected targeting to organizations tracking spyware abuse

Resources

• Apple Security Updates
• Apple Lockdown Mode
• Amnesty Tech Security Lab
• Citizen Lab

---

All Apple device users should update immediately. High-risk individuals should additionally consider enabling Lockdown Mode and seeking security guidance from organizations specializing in digital safety.