iOS 26.2: Apple Confirms Active iPhone Attacks Against Business Targets
The Uncomfortable Truth
On 12 December 2025, Apple released iOS 26.2 with fixes for over 20 security vulnerabilities. Two of them (CVE-2025-43529 and CVE-2025-14174) were already being exploited in what Apple describes as "an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26."
That's Apple's polite way of saying: nation-state actors and commercial spyware vendors were actively compromising iPhones before this patch existed.
These aren't theoretical vulnerabilities. These are proven attack vectors that Google's Threat Analysis Group discovered after they'd already been weaponised. The same team that tracks Pegasus spyware and similar surveillance tools.
What Actually Happened
Both exploited vulnerabilities exist in WebKit, the browser engine that powers Safari and every other web browser on iOS. Yes, even Chrome and Firefox on your iPhone use WebKit because Apple doesn't let anyone else have their own browser engine.
CVE-2025-43529 is a use-after-free vulnerability. An attacker sends you to a malicious website. The site runs JavaScript that triggers a memory management flaw. That flaw allows arbitrary code execution on your device. No password required. No clicking "Accept." Just visit the wrong website and your iPhone is compromised.
CVE-2025-14174 is a memory corruption issue. Apple issued both CVE numbers "in response to this report," meaning these vulnerabilities were chained together in actual attacks. First vulnerability gets code running. Second vulnerability corrupts memory to bypass iOS security protections.
This is sophisticated, multi-stage exploitation. The kind that costs hundreds of thousands to develop and is typically deployed by governments or well-funded criminal organisations.
The Business Consequences
If you're a small business owner thinking "but we're not important enough to target," you're dangerously wrong about how these exploits work.
Once vulnerabilities become public, they get reverse-engineered and weaponised by less sophisticated attackers within days. What started as a targeted espionage tool against journalists and dissidents becomes a commodity exploit sold on criminal forums for a few thousand pounds.
Your business doesn't need to be the primary target. Your business needs to be connected to a target. Your accountant. Your solicitor. Your IT contractor. Your largest customer. Any of them could be compromised, and your iPhone becomes the next hop in a supply chain attack.
The kernel vulnerability (CVE-2025-46285) lets malicious apps gain root privileges. Complete system control. Bypass all security restrictions. Access any data. Modify system files. Persist after factory reset. That's the nightmare scenario for any business device with financial data, customer information, or access to your internal systems.
The Payment Token Problem
CVE-2025-46288 in the App Store framework could let apps access sensitive payment tokens without authorisation. If you use Apple Pay for business expenses, store payment information in apps, or have employees who do, this vulnerability could expose that financial data.
This isn't about sophisticated nation-state attacks. This is about malicious apps potentially stealing payment credentials. The barrier to entry for exploiting this is much lower.
What You Need to Do Right Now
Update every business iPhone to iOS 26.2 immediately. Not next week. Not after the busy period. Today.
Go to Settings > General > Software Update. If iOS 26.2 is available, install it. If you're on iOS 18 or earlier, update to iOS 26.2 directly. Apple is actively pushing users to upgrade because the security foundation of older iOS versions can't match the protections in iOS 26.
For business devices, you should be using Mobile Device Management (MDM) to enforce updates. If you're not, you're managing a fleet of devices with no centralised security control. That's a governance failure waiting for an ICO investigation.
If you can't enforce MDM because of cost or complexity, at minimum create a policy requiring iOS security updates within 48 hours of release. Make it a disciplinary matter. These aren't nice-to-have patches. These are fixes for vulnerabilities that attackers are already exploiting.
The FaceTime Password Leak
While less severe than the actively exploited vulnerabilities, CVE-2025-43542 is worth understanding. If someone uses FaceTime to remotely control another device, password fields could be unintentionally revealed during the session.
This is precisely the kind of vulnerability that makes shared screen sessions risky. If your employees use screen sharing for remote support, training, or collaboration, they need to understand that password managers, authentication forms, and sensitive data can leak through these channels.
Screen sharing is a business necessity. The solution isn't to ban it. The solution is to implement proper controls: always use application sharing instead of full desktop sharing, never type passwords during screen share sessions, and assume anything visible on screen during sharing is potentially recorded.
The Google Connection
It's significant that Google's Threat Analysis Group discovered these vulnerabilities. Google TAG specifically tracks commercial spyware and nation-state threats. When they report vulnerabilities to Apple, it's because they've seen them used in real attacks against real targets.
Google patched the same WebKit vulnerabilities in Chrome on 10 December 2025. That gave attackers a 48-hour window where they knew exactly what to target on iPhones before Apple's patch arrived. That's not Apple being slow. That's the reality of coordinated disclosure with multiple vendors.
But it highlights why small businesses can't wait weeks to deploy patches. The moment vulnerabilities become public, the exploitation window opens for everyone.
The Forensics Problem
Here's something that should worry any business dealing with potential compromise: iOS 26 fundamentally changed how the shutdown.log file operates. It now overwrites on every reboot instead of appending new entries.
This means when you update to iOS 26.2 and restart your device, all evidence of sophisticated malware like Pegasus or Predator spyware gets erased. Security researchers who previously used shutdown.log analysis to detect compromised devices no longer have that capability.
If you suspect a business iPhone might be compromised, don't update it. Don't restart it. Engage a proper digital forensics specialist before you destroy the evidence. This applies to any potential security incident, not just sophisticated spyware.
The Cost of Delay
Research shows organisations typically need 38 to 150 days to fully deploy security updates across their estate. Attackers weaponise disclosed vulnerabilities in hours or days. That's why the defence always loses.
Small businesses can't afford that delay. You don't have 150 days. You don't have 30 days. You have about 48 hours before these vulnerabilities become commodity exploits that any competent attacker can deploy.
Every day you delay updating is another day your business devices run with known, exploited security holes. That's not a technical problem. That's a governance failure.
The Director's Responsibility
If you're a director or business owner, you're responsible for protecting customer data, financial information, and business systems from unauthorised access. Using devices with known, exploited security vulnerabilities is the opposite of that responsibility.
Under UK GDPR, you're required to implement appropriate technical and organisational measures to ensure security of processing. Running unpatched devices with actively exploited vulnerabilities fails that test. If you suffer a breach because of this, the ICO will ask why you didn't apply available security updates.
You can't claim you didn't know. Apple publicly confirmed these vulnerabilities were actively exploited. The patches are available for free. The update process takes 15 minutes per device. There's no excuse.
Implementation Guidance
For businesses with fewer than 10 devices, manual updates are acceptable but need formal process. Create a policy requiring iOS updates within 48 hours. Assign someone specific responsibility. Track compliance in writing.
For businesses with 10 to 50 devices, investigate MDM solutions. Microsoft Intune starts at £4.70 per user per month (part of Microsoft 365 Business Premium). Jamf Now starts at £2 per device per month. These tools let you enforce updates, track compliance, and prove due diligence.
For businesses over 50 devices, MDM isn't optional anymore. You're managing a fleet. You need fleet management tools. Budget accordingly.
The Broader Pattern
Since 2023, Apple has disclosed 17 different WebKit vulnerabilities that attackers exploited in the wild. This isn't a one-off incident. This is a systematic pattern of sophisticated attackers targeting the foundation of web browsing on iOS.
The sophisticated attacks are the canary in the coal mine. When Google TAG sees nation-state actors exploiting vulnerabilities, those same vulnerabilities will be commoditised and deployed by less sophisticated attackers within weeks.
Your business doesn't need to be targeted by nation-states to be compromised by these vulnerabilities. You just need to be profitable enough to be worth phishing.
What This Means for Your Business
Every business iPhone is a potential access point to your network, your data, and your customers' information. Treating these devices as personal phones that happen to be used for work is a fundamental security failure.
Business devices need business-grade security controls. That means MDM. That means enforced updates. That means policies with consequences for non-compliance.
If you're not doing this, you're not running a business with appropriate security controls. You're running a business with a collection of unmanaged endpoints that are probably already compromised and you just don't know it yet.
The iOS 26.2 update is available now. Update your devices. All of them. Today.