Apple Patches Two Actively Exploited Zero-Day Vulnerabilities: What Organizations Need to Know in 2026

Apple releases security updates for iOS, iPad, and Mac platforms. Addresses two zero-day vulnerabilities that attackers have previously used to compromise devices. Latest update brings the total number of zero days patched by Apple to six since the beginning of the year. No information about these attacks has been made public.

Ozan Ucar, Founder and CEO of Keepnet

Last Updated: 2026-06-01

Two Critical Vulnerabilities Patched by Apple

Apple's security updates for iOS, iPadOS, and macOS patched two critical zero-day vulnerabilities (CVE-2022-32893 and CVE-2022-32894) that were being actively exploited in the wild at the time of disclosure. These vulnerabilities, when chained together, allowed attackers to achieve full device compromise from a single malicious webpage visit. By 2026, Apple has patched over 20 additional zero-day vulnerabilities that were actively exploited, averaging approximately 6-8 zero-days per year. The recurring pattern of iOS zero-day exploitation primarily by commercial spyware operators selling to government clients has prompted Apple to introduce Lockdown Mode (iOS 16+) and Rapid Security Response updates to accelerate patching for the most critical flaws.

What Are Zero Day Vulnerabilities, and Why Are They a Big Deal?

Zero-day vulnerabilities are security flaws that are unknown to the vendor and the public when attackers first exploit them. The term refers to the fact that the vendor has had zero days to develop and deploy a patch. By 2026, the zero-day exploit market has matured significantly: commercial vendors sell iOS zero-day chains for prices reported to exceed one million dollars per exploit, and government-grade spyware platforms such as those documented by security researchers require a continuous supply of new zero-days as Apple patches previous ones. The frequency of zero-day exploitation in Apple platforms reflects the high value of mobile device access for intelligence collection.

Apple’s proactive approach to patching these vulnerabilities reinforces its commitment to application security and user safety, and it’s crucial that users respond by installing these updates promptly.

Details of the Patched Zero Day Vulnerabilities

CVE-2022-32893: WebKit Issue Leading to Arbitrary Code Execution

CVE-2022-32893 is a WebKit vulnerability that could allow attackers to execute arbitrary code on the target device by having it process specially crafted web content. WebKit is the underlying engine that powers Safari, and a compromise here can directly affect browser security and data integrity on Apple devices. By manipulating this vulnerability, attackers can run unauthorized code on a device, which can lead to device takeovers, data theft, or further malware installation.

Apple fixed this issue by improving boundary checks within the WebKit engine, enhancing application security on iOS, iPadOS, and macOS devices. This vulnerability highlights the importance of boundary specification in application design, which limits what content can interact with sensitive system areas.

CVE-2022-32894: Core OS Vulnerability Allowing Kernel Privilege Escalation

The CVE-2022-32894 vulnerability is a flaw in Apple’s OS kernel, allowing attackers to execute malicious code with high privileges. The kernel is the core part of the operating system, responsible for controlling hardware interactions and enforcing security protocols. This means that if an attacker gains kernel level access, they could potentially control all aspects of the device, from network functions to sensitive data.

To mitigate this, Apple addressed the privilege escalation potential within the kernel by adding more rigorous verification and control measures. In doing so, Apple has closed off an attack vector that allowed malicious software to reach deeper levels of the device's operating system.

Why Regular Updates Are Crucial for Apple Users

With the patching of these two vulnerabilities, the total number of zero day vulnerabilities patched by Apple this year has risen to six. The other four zero days addressed in 2022 include:

CVE-2022-22587: IOMobileFrameBuffer issue allowing attackers to escalate privileges.
CVE-2022-22620: WebKit vulnerability that permitted arbitrary code execution.
CVE-2022-22674: A graphic driver flaw affecting Intel graphics that could expose sensitive memory data.
CVE-2022-22675: AppleAVD vulnerability that allowed unauthorized code execution.

This pattern of vulnerabilities highlights how frequently attackers exploit flaws before they are publicly known, reinforcing the need for regular, proactive updates.

How to Update Your Apple Devices

Updating Apple devices is simple and should be a priority for all users. Here’s how to do it:

For iOS and iPadOS: Go to Settings > General > Software Update and tap Download and Install.
For macOS: Go to System Preferences > Software Update and select Update Now.

Recommendations for IT and Security Teams

If you manage multiple Apple devices in a professional setting, here’s what you should prioritize:

Deploy updates across all managed devices: Use your Mobile Device Management (MDM) tools to push updates to all iOS, iPadOS, and macOS devices immediately. This reduces the window of vulnerability and ensures compliance.
Encourage security awareness training: Regularly train employees to recognize suspicious web content and phishing tactics, which are commonly used to exploit WebKit vulnerabilities. Keepnet Labs offers a Phishing Simulator to provide hands on practice for recognizing these attacks.
Use human risk management strategies: The Keepnet Human Risk Management Platform enables organizations to measure and mitigate risk across users, minimizing the chance of human errors that could lead to device compromise.

Staying Ahead of the Curve: Apple’s Commitment to Cybersecurity

Apple’s quick response to these vulnerabilities showcases its commitment to advanced application security and robust incident response. Zero day vulnerabilities will continue to emerge, and organizations using Apple products should maintain up to date security training, threat awareness, and device management policies.

Final Takeaway

In a world where cyber threats evolve constantly, Apple’s ongoing security updates are crucial defenses against unknown, active threats. Make it a priority to install these updates on all Apple devices to protect your data and your network from exploitation.

Editor's Note: This article was updated on June 1, 2026.

Schedule your 30-minute demo now

You'll learn how to:

Get insights on the latest phishing trends and tactics used to target Apple and other platforms.

Enhance device and user security by identifying potential weaknesses before attackers do.

Strengthen your incident response protocols to handle emerging zero-day threats effectively.

Frequently Asked Questions

What is a zero day vulnerability and why is it dangerous?

A zero day vulnerability is a security flaw in software or hardware that is unknown to the vendor at the time attackers begin exploiting it. The term refers to the fact that developers have had zero days to patch the flaw before it is being actively used in attacks. Zero day vulnerabilities are particularly dangerous because no patch exists at the point of exploitation, meaning defenders cannot protect systems by applying a vendor update. Attackers who discover or purchase zero day exploits can use them with high confidence of success against any unpatched target running the vulnerable software.

What were CVE-2022-32893 and CVE-2022-32894 and how were they exploited?

CVE-2022-32893 was a WebKit vulnerability that allowed attackers to execute arbitrary code on a target device simply by getting the user to visit a malicious webpage. WebKit is the browser engine underlying Safari and all iOS browsers. CVE-2022-32894 was a kernel level privilege escalation vulnerability in Apple's operating system that allowed an attacker who had already gained code execution to escalate their privileges to kernel level, giving them complete control over the device. The two vulnerabilities were typically chained: CVE-2022-32893 provided initial access, and CVE-2022-32894 elevated that access to full device control.

Who was targeted by the exploits for these Apple vulnerabilities?

Apple stated that it was aware of reports that these vulnerabilities may have been actively exploited but did not publicly name specific targets or threat actors. Based on the nature of the vulnerabilities and the historical pattern of similar iOS zero day chains, security researchers assessed that the exploits were most likely used in targeted attacks against high value individuals such as journalists, activists, executives, and government officials, rather than broad opportunistic campaigns. Commercial spyware operators have a documented history of developing and deploying iOS zero day chains against such targets.

How quickly should Apple device users apply security updates?

Users should apply Apple security updates as soon as they are available, ideally within 24 hours for updates that patch actively exploited vulnerabilities. Apple's rapid response updates, introduced in iOS 16 and later, can deliver critical security fixes between major OS releases and should also be applied promptly. For organizations managing fleets of Apple devices through MDM, deploying critical security updates should be treated as an emergency patching event rather than a routine maintenance task when the update patches actively exploited zero day vulnerabilities.

What is WebKit and why do WebKit vulnerabilities affect all iOS browsers?

WebKit is the open source browser engine developed by Apple that powers Safari. Apple's App Store policies require all browsers on iOS and iPadOS to use WebKit as their rendering engine, regardless of the browser brand. This means that a WebKit vulnerability affects not just Safari but every browser available on iOS, including Chrome, Firefox, and all other third party browsers on Apple's mobile platforms. A user who uses Chrome exclusively on their iPhone is just as vulnerable to a WebKit exploit as a Safari user.

What is kernel privilege escalation and why is it the most severe type of vulnerability?

The operating system kernel is the core component that controls all hardware and system resources. Kernel level access gives an attacker the highest possible privileges on a device, above any application or user account. With kernel access, an attacker can read and modify any data on the device, install persistent backdoors that survive reboots, disable security features, intercept encrypted communications, and access the device camera, microphone, and location without triggering user visible permissions. CVE-2022-32894 allowed attackers to escalate to this level from a code execution position obtained through a lower privilege exploit.

How many zero day vulnerabilities has Apple patched historically?

Apple patches a significant number of zero day vulnerabilities each year across its platforms. In 2021, Apple patched at least 12 actively exploited zero days. In 2022, the two vulnerabilities described in this article were among several zero days patched during the year. The frequency of zero day exploitation in Apple platforms reflects both the high value of iOS as a target, given the sensitive data on mobile devices, and the active market for iOS exploits among commercial spyware vendors and state sponsored threat actors.

What is Apple's Lockdown Mode and who should use it?

Apple's Lockdown Mode, introduced in iOS 16, is an optional extreme security mode designed for individuals who face targeted attacks from sophisticated threat actors such as state sponsored spyware. Lockdown Mode restricts many device features to significantly reduce the attack surface: it blocks most message attachment types, disables certain web technologies in Safari, prevents wired connections to computers, restricts configuration profile installation, and limits incoming FaceTime calls from unknown contacts. Most users do not need Lockdown Mode, but high risk individuals including journalists, executives, activists, and government officials should consider enabling it.

How should IT teams manage Apple security patches across a device fleet?

IT teams managing Apple devices should use Mobile Device Management (MDM) solutions that allow remote deployment of software updates across all managed devices. For critical security updates patching actively exploited vulnerabilities, a patch deployment target of 24 to 72 hours is appropriate. Teams should maintain an inventory of all Apple devices and their OS versions to identify unpatched exposure quickly. They should also monitor Apple's security update releases and sign up for Apple's security notifications. Employee security awareness should include guidance on applying personal device updates promptly. Keepnet's Security Awareness Training helps employees understand why prompt patching matters and how to apply updates correctly.

What is the broader lesson from recurring Apple zero day vulnerabilities for organizational security?

The recurring nature of Apple zero day vulnerabilities demonstrates that no platform is immune to security flaws, including platforms with strong security reputations. Organizations should maintain a layered security posture that does not depend on the assumption that any single platform or vendor is inherently secure. Rapid patching, mobile device management, network monitoring for anomalous behavior from mobile endpoints, and security aware employees who report suspicious device behavior all contribute to resilience. Keepnet's Incident Responder helps teams respond quickly when suspicious activity is reported from any device type.