If your iPhone is still running a version of iOS older than 15.2, hackers already have a proven way in. A WebKit vulnerability patched by Apple back in December 2021 remains a live threat to every device that never received the fix, and the U.S. government’s cybersecurity agency has confirmed that attackers have used it against real targets, not just in lab demonstrations.
The flaw, tracked as CVE-2021-30952, is an integer overflow bug in WebKit, the engine that powers Safari and every in-app browser on iOS. A specially crafted webpage can trigger the error and let an attacker execute arbitrary code on the device, potentially gaining access to personal data, credentials, and device controls. Apple addressed the issue in iOS 15.2, but any iPhone stuck on an earlier release, whether because the owner skipped updates or because the hardware is too old to support newer software, remains exposed as of June 2026.
Federal authorities flagged this as actively exploited
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-30952 to its Known Exploited Vulnerabilities (KEV) catalog, a list reserved for flaws that have been confirmed as weaponized in real-world attacks. Inclusion on the KEV list is not based on theoretical risk. CISA requires evidence of active exploitation before a vulnerability qualifies, and once listed, federal civilian agencies must patch or mitigate the flaw within a set deadline.
The National Vulnerability Database, maintained by the National Institute of Standards and Technology, cross-references the KEV listing and hosts the standardized technical description of the bug. Together, these two government-maintained sources create a documented chain from the technical details of the flaw to the confirmation that attackers have successfully used it against live systems.
For anyone still running a pre-15.2 version of iOS, that chain of evidence translates into a concrete risk: visiting a malicious or compromised website could hand an attacker code execution on the device.
How many iPhones are still vulnerable
No official Apple disclosure or independently audited dataset pins down the exact number of devices still running iOS versions older than 15.2. Estimates in the hundreds of millions have appeared in secondary coverage, but those figures typically extrapolate from Apple’s publicly reported installed base and third-party analytics platforms that track iOS adoption rates. The numbers are directionally useful but unverified by Apple or any government source.
What is well established is that a meaningful share of the global iPhone fleet historically lags behind on major updates, and several older models, including the iPhone 6 and iPhone 5s, cannot install iOS 15 at all. Those devices will never receive the patch, leaving their owners permanently exposed to CVE-2021-30952.
What we still do not know
CISA’s catalog confirms exploitation occurred but does not publicly attribute attacks to specific threat groups, nation-states, or criminal organizations. Whether the campaigns were broad and opportunistic or narrowly targeted at high-value individuals, such as journalists or government officials, is a distinction the available primary sources do not make. Some older WebKit flaws have been linked to commercial spyware operations in separate reporting, but no primary evidence ties CVE-2021-30952 to a specific surveillance tool.
There is also limited public detail about whether exploitation has continued at the same intensity since the patch shipped. Attackers often shift focus once a bug is widely known, but older hardware and lagging updates can keep a vulnerability useful for targeted campaigns long after it fades from headlines.
How to check your iPhone and protect yourself
The fix has been available for years. Applying it is the single most effective step any affected user can take.
- Check your iOS version: Open Settings, then General, then About and look at the Software Version field. If it reads anything below 15.2, your device is vulnerable to CVE-2021-30952.
- Update immediately: Go to Settings, then General, then Software Update and install the latest available release. Turn on Automatic Updates if you have not already.
- If your iPhone cannot update: Models like the iPhone 6 and earlier cannot run iOS 15. Owners of these devices face a vulnerability that will never be patched on that hardware. Limiting web browsing, keeping sensitive tasks like banking on a newer device, and avoiding unfamiliar links can reduce exposure, but device replacement is the only complete fix.
What organizations should do
For IT teams managing fleets of Apple devices, CISA’s KEV catalog provides a clear directive. Any device running software vulnerable to a KEV-listed flaw should be treated as an active security risk. Administrators can cross-reference device inventories against the affected iOS versions and enforce update policies accordingly, including blocking network access for noncompliant devices or using mobile device management tools to push updates.
Because WebKit powers not just Safari but virtually every in-app browser on iOS, a WebKit-level exploit can potentially reach a wide range of business workflows. Security teams should treat this case as a template: monitor the National Vulnerability Database and the KEV catalog, map new entries to internal asset inventories, and set firm remediation deadlines.
Why the gap between headline claims and verified evidence matters
The headline figure of 800 million affected iPhone users originates in secondary news coverage, not in any official Apple disclosure, government database, or independently audited dataset. No primary source reviewed for this article confirms that specific number. Estimates in the hundreds of millions are extrapolated from Apple’s publicly reported installed base and third-party analytics platforms that track iOS version adoption rates. Those figures may be directionally plausible, but they are unverified, and readers should weigh them accordingly.
The core facts, however, are solid. A specific Apple vulnerability was exploited in the wild, federal authorities documented it, and the fix requires a software update to iOS 15.2 or later. No direct Apple statement warning users about ongoing exploitation of this particular flaw appears in the available primary source material; the urgency framing originates largely in news coverage.
That distinction matters, but it does not change the practical advice. Users who update their devices, or retire hardware that can no longer be patched, will have addressed the documented risk regardless of the exact number of others who remain exposed. The vulnerability is real, the exploitation is confirmed, and the fix is free. The only variable is whether you apply it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
