Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
One of two WebKit vulnerabilities has been added to the Known Exploited Vulnerabilities Catalog, as Apple warns of an “extremely sophisticated attack”.
Two new vulnerabilities have made the cut and been added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog.
CVE-2025-43529 has only been reserved as of the time of writing, but has already been patched. That vulnerability, alongside CVE-2025-14174, was addressed in a swathe of Apple security updates released late last week.
The vulnerability could allow maliciously crafted web content to lead to arbitrary code execution, and Apple warned of exploitation in its advisory.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” Apple said.
“CVE-2025-14174 was also issued in response to this report.”
The vulnerabilities impact iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
CVE-2025-14174 is a zero-day previously referenced by Google, and linked to a Chrome vulnerability disclosed earlier this week.
The second known exploited vulnerability, CVE-2025-14611, is an issue in the implementation of the AES cryptoscheme in Gladinet CentreStack and Triofox products prior to version 16.12.10420.56791.
First disclosed by the cyber security firm Huntress on 10 December, after being advised by a Gladinet customer that the company had released a security update including indicators of compromise. Upon investigating, the firm’s researchers found the culprit.
“AES implementation of Gladinet’s CentreStack and Triofox products contains hardcoded cryptographic keys. Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialisation and remote code execution,” Huntress said.
“We are seeing attackers target this flaw across our customer base; organisations that are using CentreStack/Triofox should update to the latest version, 16.12.10420.56791.”
If you’re a Gladinet customer and have yet to apply the update, we recommend getting right on it.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
