Alerts

Apple Patches First Zero-Day of 2026 After Google TAG Discovers Exploitation in Targeted Attacks

Zero Day Wire

2 min read
Apple Patches First Zero-Day of 2026 After Google TAG Discovers Exploitation in Targeted Attacks

Apple has released security updates across its entire product ecosystem to address a zero-day vulnerability that the company says has been exploited in "extremely sophisticated" attacks targeting specific individuals.

The vulnerability, tracked as CVE-2026-20700, is a memory corruption flaw in dyld — Apple's Dynamic Link Editor responsible for loading shared libraries at runtime. An attacker with memory write capability could exploit the flaw to achieve arbitrary code execution on affected devices. Google's Threat Analysis Group (TAG) discovered and reported the vulnerability.

Linked to Prior Exploits

Apple confirmed that CVE-2025-14174 and CVE-2025-43529 were also issued in response to the same report, indicating a multi-stage exploit chain. Both vulnerabilities were patched in December 2025.

CVE-2025-14174 (CVSS 8.8) is an out-of-bounds memory access flaw in ANGLE's Metal renderer component — Apple's hardware-accelerated graphics API. Google previously disclosed this vulnerability as actively exploited in the wild.

CVE-2025-43529 (CVSS 8.8) is a use-after-free vulnerability in WebKit that enables arbitrary code execution through maliciously crafted web content.

The combination suggests a browser-based exploit chain targeting WebKit and Metal rendering before achieving code execution through the dyld memory corruption flaw.

Affected Devices and Updates

Updates are available across all current Apple platforms:

iOS 26.3 and iPadOS 26.3 \u2014 iPhone 11 and later, iPad Pro 12.9-inch 3rd gen and later, iPad Pro 11-inch 1st gen and later, iPad Air 3rd gen and later, iPad 8th gen and later, iPad mini 5th gen and later.

macOS Tahoe 26.3 \u2014 Macs running macOS Tahoe.

tvOS 26.3 \u2014 Apple TV HD and Apple TV 4K (all models).

watchOS 26.3 \u2014 Apple Watch Series 6 and later.

visionOS 26.3 \u2014 Apple Vision Pro (all models).

Apple also released patches for older platforms including iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, and Safari 26.3.

Recommendation

Update all Apple devices immediately. The "extremely sophisticated" language and Google TAG attribution strongly suggest nation-state exploitation. Apple patched nine zero-days in 2025 — CVE-2026-20700 marks the first of 2026. Organizations managing Apple device fleets should prioritize deployment through MDM solutions. The linked exploit chain involving WebKit and Metal rendering underscores the importance of keeping browsers and OS components current.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire