Hundreds of millions of iPhones worldwide could still be running iOS versions that contain a flaw allowing full device takeover, according to entries in the U.S. government’s National Vulnerability Database. Two tracked vulnerabilities, CVE-2025-43529 and CVE-2026-20700, affect iOS builds released before iOS 26, and at least one has already been exploited in what Apple describes as “extremely sophisticated” real-world attacks. The gap between the availability of a fix and the pace at which users actually install it is now the central risk.
Why a takeover flaw in older iOS builds demands attention right now
The core tension is straightforward: Apple has shipped patches, but a large share of iPhones in active use have not received them. The NVD record for CVE-2026-20700 explicitly states that the vulnerability affects iOS versions before iOS 26, and its description references exploitation in “extremely sophisticated attacks.” That language, drawn from Apple’s own advisory as the assigning CNA, signals confirmed in-the-wild use rather than a theoretical risk.
A reasonable hypothesis is that update rates for the affected iOS versions will accelerate measurably in the 60 days after CISA adds these CVEs to its Known Exploited Vulnerabilities Catalog. The logic is simple: once a flaw lands on that list, federal civilian agencies face binding remediation deadlines, and the publicity ripple tends to push consumer awareness higher. Public app-store telemetry from Apple’s developer distribution data and third-party analytics firms could, in principle, track that acceleration. No public dataset has yet confirmed the specific figure of 270 million unpatched devices, but the number aligns with estimates of iPhones still running iOS versions older than iOS 26 based on Apple’s global installed-base disclosures in recent earnings calls. Without Apple releasing granular version-adoption numbers tied to these specific CVEs, the exact count remains an estimate rather than a confirmed statistic.
The practical consequence for individual users is direct. Anyone whose iPhone displays a software version below iOS 26 in the Settings app is running code that contains at least one of these flaws. Attackers who have already demonstrated the ability to exploit CVE-2026-20700 in targeted operations now have a known playbook, and the longer devices remain unpatched, the wider the window for less sophisticated groups to adapt and scale those techniques. For high-risk users such as journalists, political dissidents, and executives with access to sensitive data, the existence of a working exploit chain against older iOS builds raises the stakes for staying current on updates.
NVD records and CISA’s catalog trace the evidence trail
Two primary government databases anchor the factual record. The National Vulnerability Database, maintained by NIST, holds the authoritative entry for CVE-2025-43529, which lists Apple as the CVE Numbering Authority responsible for the record. That designation means Apple itself identified, documented, and reported the flaw to the global tracking system. A separate NVD entry covers CVE-2026-20700, where the description carries Apple’s characterization of exploitation occurring in “extremely sophisticated attacks” against devices running iOS versions before iOS 26.
CISA’s Known Exploited Vulnerabilities Catalog serves a different but complementary function. The catalog is not simply an informational list. It triggers mandatory remediation timelines for federal civilian executive branch agencies and acts as a de facto severity signal for the private sector. When a CVE appears there, it means the U.S. government has determined that the flaw is being actively used by threat actors, not just theoretically exploitable. CISA maintains this living catalog as a continuously updated reference for defenders.
The combination of Apple’s own acknowledgment through the CNA process, NIST’s formal NVD tracking, and CISA’s active-exploitation designation creates a three-layer confirmation that these flaws are real, patched in newer software, and already weaponized. That chain of evidence is unusually strong compared with the typical vulnerability disclosure cycle, where many CVEs never progress beyond theoretical proof-of-concept status. In this case, defenders can point to concrete records that tie together vendor advisories, standardized identifiers, and government-level urgency.
What the 270 million device estimate still lacks
The headline figure of up to 270 million exposed iPhones does not appear in any of the primary government records. The NVD entries contain no device-population counts or update-adoption statistics. CISA’s catalog lists the CVEs but supplies no Apple remediation timelines or version-specific telemetry. And Apple itself has not published a public statement quantifying how many iPhones remain on vulnerable builds for these specific flaws.
That gap matters because the difference between 270 million and, say, 100 million changes the risk calculus for enterprises, carriers, and governments deciding how aggressively to push updates. Apple periodically shares iOS adoption percentages during developer conferences and in App Store support pages, but those figures typically report adoption of the latest major release rather than breaking out how many devices sit on each prior version. Third-party analytics firms attempt to fill this void, yet their methodologies rely on sampling web traffic or app sessions, which can skew toward active, tech-engaged users and undercount older devices used less frequently.
Several questions remain open. First, which specific device models are unable to run iOS 26 at all, and therefore will never receive a direct patch for these flaws? Second, among devices that can update, what proportion are being held back by user choice, managed enterprise policies, or compatibility concerns with legacy apps and accessories? Finally, how quickly will these numbers shift now that the vulnerabilities have moved from specialist security advisories into mainstream coverage and government warning lists? Without transparent, version-level adoption data from Apple, outside observers are left to infer the scale of exposure from partial signals and broad installed-base figures.
How organizations and users should respond
In the absence of precise device counts, the safest working assumption for defenders is to treat any iPhone below iOS 26 as potentially exposed. For enterprises, that means tightening mobile device management policies to require upgrades where hardware supports it, and segmenting or restricting access for devices that cannot be brought into compliance. Security teams should also review logs for signs of anomalous mobile activity, particularly around high-value accounts that may attract targeted exploitation attempts.
Individual users can take a few concrete steps. The most important is to check the current software version in the Settings app and install any pending update that brings the device to iOS 26 or later. Users who find that their hardware no longer receives major iOS releases face a harder choice: continue using a phone that may harbor unpatched takeover flaws, or migrate to a newer device that will receive security updates. For people who handle sensitive personal or professional information, the long-term risk of remaining on unsupported software increasingly outweighs the short-term cost and inconvenience of upgrading.
The story of CVE-2025-43529 and CVE-2026-20700 ultimately illustrates a broader structural problem. Modern smartphones concentrate enormous amounts of personal, financial, and corporate data, yet the ecosystem still depends on voluntary, unevenly distributed updates to close critical security holes. Until vendors, regulators, and carriers find more reliable ways to shorten the window between patch release and real-world adoption, the next iOS takeover flaw is likely to follow the same pattern: confirmed exploitation, available fixes, and a long tail of millions of devices left behind.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
