Apple has released an urgent security update after confirming that a zero-day vulnerability in its operating system was exploited in what the company called an 'extremely sophisticated attack against specific targeted individuals.'
The flaw, tracked as CVE-2026-20700, is the first actively exploited zero-day Apple has disclosed in 2026, and it sat undetected inside every iPhone, iPad, Mac, Apple Watch, and Apple TV for nearly 20 years.
Google's Threat Analysis Group (TAG) discovered the vulnerability and reported it to Apple. The exploit chain also involves two WebKit flaws, CVE-2025-14174 and CVE-2025-43529, patched in December 2025. Anyone who skipped those updates remains exposed to the full attack sequence.
A Flaw Buried in Apple's Foundation Since 2007
CVE-2026-20700 is a memory corruption bug in dyld, Apple's Dynamic Link Editor, the core component responsible for loading shared libraries every time an application launches. It has been part of Apple's architecture since the original iPhone shipped in 2007. The vulnerability affected all versions of iOS before iOS 26, meaning the weakness existed for close to two decades without detection.
Once an attacker gains the ability to write to a device's memory, the flaw allows them to run any code they choose.
In practical terms, that means installing spyware, accessing banking apps, reading encrypted messages, and activating the camera or microphone. Apple said it addressed the issue with 'improved state management' in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20700 to its Known Exploited Vulnerabilities catalog on 12 February 2026, setting a 5 March remediation deadline for federal agencies.
Commercial Spyware and the Surveillance Connection
Google TAG specialises in tracking state-sponsored hackers and commercial surveillance operations. The attack profile, paired with Apple's description of 'specific targeted individuals', points to operators of Pegasus-style commercial spyware targeting journalists, activists, and political dissidents.
Apple hasn't disclosed the identity of the attackers or the scope of the campaign. In 2025, the company patched nine zero-day vulnerabilities used in real-world attacks.
From Government Spyware to Criminal Gangs
Targeted surveillance is only part of the picture. Google Threat Intelligence Group recently revealed that an iOS exploit kit called Coruna, containing 23 exploits across five attack chains, has spread from a commercial spyware vendor's customer to a suspected Russian espionage group and then to financially motivated Chinese hackers.
iVerify, a mobile security firm that independently analysed the kit, called it the first observed case of mass exploitation against iOS devices. The company confirmed at least 42,000 devices were infected. Rocky Cole, iVerify's co-founder, compared the situation to the 2017 EternalBlue leak, when National Security Agency (NSA) hacking tools escaped into the wild and powered the WannaCry ransomware outbreak.
'Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations,' iVerify said.
What You Need to Do Right Now
If you own any Apple device, open Settings, go to General, and tap Software Update. Install iOS 26.3, macOS Tahoe 26.3, or the latest available patch for your device immediately.
Users running older hardware that can't support iOS 26 should update to iOS 18.7.5 and enable Lockdown Mode, which restricts the attack surface that exploit kits target. Google's research found that Coruna automatically backs off when it detects Lockdown Mode is active.
Apple, Google, and CISA have all issued the same guidance. Every unpatched Apple device is a potential entry point.
Originally published on IBTimes UK
© Copyright IBTimes 2025. All rights reserved.
