If you own an iPhone and have been tapping “Remind Me Later” on software updates, this is the week to stop. A vulnerability in WebKit, the engine that renders every webpage on every iPhone browser, is being actively exploited by attackers. Apple has released a fix. The U.S. government has confirmed the threat is real. Yet by several third-party estimates, roughly half of the world’s 1.6 billion active iPhones have not yet installed the patch, leaving hundreds of millions of devices exposed as of late May 2025.
The flaw, tracked as CVE-2025-43529, is not theoretical. The Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, a designation the agency reserves exclusively for bugs that have been used against real targets in the wild. Under Binding Operational Directive 22-01, every federal civilian agency must patch KEV-listed flaws within a set deadline or face compliance consequences. That level of urgency from Washington is a reliable signal for everyone else.
Why WebKit flaws hit every iPhone browser
WebKit is not just Safari’s engine. Apple requires every browser on iOS, including Chrome, Firefox, Brave, and any app that displays web content, to use WebKit for rendering. That means a single flaw in WebKit creates an attack surface that spans every browser on the platform. A convincing phishing link, a compromised news page, or a malicious ad could trigger the vulnerability regardless of which app loads it.
This is not a new pattern. In January 2024, Apple patched a similar WebKit zero-day, CVE-2024-23222, which the European Union’s CERT-EU described as a type confusion bug that allowed crafted web content to achieve arbitrary code execution. That flaw, too, was actively exploited before many users updated. The mechanics of CVE-2025-43529 follow the same general class: hostile data delivered through a webpage causes WebKit to mishandle memory, potentially letting an attacker run their own code on the device.
One important nuance: since iOS 17.4, Apple has allowed alternative browser engines in the European Union under pressure from the Digital Markets Act. Users in EU countries running Firefox or Chrome with their native engines may have a different exposure profile for this specific flaw. Outside the EU, WebKit remains the only option, and the vulnerability applies universally across browsers.
How solid is the “800 million” number?
The headline figure deserves scrutiny. Apple does not publicly release real-time adoption rates for individual security patches. The estimate that roughly half of iPhones remain unpatched comes from third-party analytics firms that sample app-level data, and those figures carry meaningful margins of error. What is confirmed: Apple’s active installed base exceeds 1.6 billion iPhones worldwide, and historical update-adoption curves show that even critical security releases take weeks to reach the majority of devices. The scale of exposure is plausible, but the precise count cannot be independently verified from government or Apple sources.
What is confirmed, without ambiguity, is the chain of facts that matters most. The vulnerability exists. Apple has patched it. CISA has verified active exploitation. Whether the true number of exposed devices is 400 million or 800 million does not change the calculus for any individual user: if your iPhone is not running the latest available iOS, you are a potential target, and the fix is already waiting in your Settings app.
Who is being targeted?
Neither CISA’s KEV listing nor Apple’s advisory specifies who has been targeted, how many users were affected, or which threat actors are involved. Past WebKit zero-days have been linked to commercial spyware vendors, including NSO Group’s Pegasus, that focus on journalists, activists, diplomats, and government officials. But applying that profile to CVE-2025-43529 without direct evidence would be speculation. The attack timeline, including whether exploitation began before or after Apple’s patch shipped, is also not detailed in available public records.
What is clear is that the threat is not limited to high-profile targets. Once a working exploit circulates, it can be repurposed by less sophisticated actors for broader campaigns, from credential theft to financial fraud. The window between a patch release and widespread adoption is exactly when opportunistic attackers scale up.
Older iPhones face a harder problem
Apple typically limits the latest iOS releases to devices from the past five to six years. iPhones older than the iPhone 8 line, for example, cannot run iOS 16 or later. Whether Apple has issued a backported fix for older iOS branches covering CVE-2025-43529 is not confirmed in available NVD or vendor documentation as of late May 2025. If no backport exists, those devices are permanently exposed unless owners replace their hardware or sharply restrict how they browse.
iPads and Macs also use WebKit and may be affected by the same underlying flaw. Apple’s security advisories typically cover all platforms simultaneously, so users of those devices should check for updates as well.
How to patch your iPhone right now
The fix takes less than five minutes to start. Open Settings, tap General, then tap Software Update. Install whatever iOS version is available for your device. If you see a Rapid Security Response or a minor point release that specifically references WebKit or Safari, install it immediately rather than waiting for a larger update.
Going forward, toggle on Automatic Updates (under Settings > General > Software Update > Automatic Updates) so that security patches install overnight without requiring manual action. This single setting closes the gap that attackers rely on most: the weeks or months between a fix being available and a user getting around to installing it.
For anyone running a device too old to receive the latest iOS, the risk calculation is personal but worth making honestly. If you use that phone for online banking, private messaging, or work involving sensitive data, continuing to browse the open web on an unpatchable device carries real exposure. Shifting those tasks to a supported device, or at minimum avoiding unfamiliar links and untrusted sites on the older phone, reduces the attack surface meaningfully.
A recurring pattern Apple has not solved
CVE-2025-43529 is not an isolated incident. It is the latest in a recurring cycle: a WebKit flaw surfaces, Apple patches it, governments confirm exploitation, and a large share of the user base remains exposed for weeks. The same sequence played out with CVE-2024-23222 in early 2024, with CVE-2023-42916 and CVE-2023-42917 in late 2023, and with multiple WebKit bugs before that. Each time, the fix was available before most users installed it.
The pattern points to a structural gap. Apple’s security engineering team responds quickly to disclosed flaws, but the company’s update-delivery model still depends on users choosing to act, or at least not choosing to delay. Until automatic patching becomes truly seamless and default for security-critical fixes, the window of exposure after every WebKit zero-day will remain wide open for hundreds of millions of devices. For now, the most reliable defense is the simplest one: update today, not tomorrow.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
