Application security, Third-party code, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security

Apple fixes zero-day that exploited OS bug in open-source code

Close up shot of Apple iPhone, Apple announces iOS 26 during its WWDC 2025.

Apple on Feb. 11 patched an exploited zero-day that could let an attacker with memory write capability conduct an arbitrary code execution.

The large vendor said it was aware of a report that this issue may have been exploited in what it called an “extremely sophisticated” attack against “specific targeted individuals” on versions of iOS before iOS 26.

The patch for CVE-2026-20700 was fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3, and iPadOS 26.3.

Apple added that CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.

"Apple confirmed active exploitation of these vulnerabilities,” said Adam Boynton, senior enterprise strategy manager at Jamf. “For most organizations, there's a dangerous gap between when Apple ships a fix and when it actually protects your business — sometimes days, sometimes weeks, sometimes never.

Boynton said that gap represents measurable risk, the kind that appears in breach post-mortems and regulatory findings. Boynton explained that iOS 26.3 patches flaws that grant complete device control.

“Apple delivered the fix in days, but if your deployment relies on employees manually updating, you're running a beta test on your own security,” said Boynton. “In 2026, the question isn't whether you trust Apple's engineering. It's whether your deployment speed matches threat velocity."


Related reading:


Kelvin Lim, senior director, head of security engineering APAC at Black Duck, said this issue happened because a piece of open-source code in the Apple products had a security vulnerability. Lim explained that a single flaw in a shared component can affect every app or device that uses it.

“That’s what happened with this iOS 26.3 update,” said Lim. “A tiny part of the system, called the dyld, had a flaw. Since it’s used across iPhones, iPads, and Macs, the flaw put a lot of devices at risk."

Lim added that’s why many in the industry talk about Software Bill of Materials (SBOMs), a list of all the code ingredients in an app.

“Knowing what’s inside your software helps make sure the tools you rely on every day are safer,” said Lim.

Mayuresh Dani, security research manager at the Qualys Threat Research Unit, added that post-compromise, the sectors most at risk include government, defense, critical NGOs, large tech, energy, and finance, or executives with geopolitical exposure or those traveling to high-risk regions.

Dani said individuals and organizations in these group should do the following:

  • Treat this as an urgent, out-of-band security update and update to the required iOS/iPadOS,macOS or watchOS/tvOS versions where applicable.
  • Apply MDM to enforce a minimum OS version for high-risk groups.
  • Consider on-device account/identity compromised with access to OAuth/SSO tokens, MFA apps and corporate email, allowing access to enterprise identity infrastructure. Make sure they are reissued.
  • Monitor for unusual mobile account behavior such as anomalous OAuth logins, password resets, or suspicious token use.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds