Apple has released more than 20 vulnerability fixes for its mobile device ecosystem in a new round of updates to the twin iOS and iPadOS operating systems (OS), with a warning for users to update now ahead of likely exploitation in the wild.
Unless a major new vulnerability is disclosed in the next couple of months, the new Apple iOS update is likely to be the last major one before the supplier’s anticipated release of iOS 26 – alongside new iPhone models – later this year.
The update, which takes both the iPhone and iPad OS to version 18.6, is light on information when it comes to the various vulnerabilities contained within. As is customary when Apple issues new cyber security updates, the supplier does not like to give too much away lest it inadvertently gives threat actors the inside track on how best to compromise its vast user base.
The iOS and iPadOS 18.6 releases include fixes for a potentially serious CoreMedia Playback permissions vulnerability that may lead to an app being able to access sensitive data, tracked as CVE-2025-43230, and a patch for a flaw tracked as CVE-2025-31229, in which the VoiceOver feature may read aloud a user’s password.
Noteworthy too is a fix to CFNetwork, a network communications framework that is used by Apple to run HTTP, HTTPS and various other protocols. Tracked as CVE-2025-43223, the issue in question enables a low-privileged user to modify restricted network settings, potentially posing an extreme security risk.
Finally, also in scope are multiple issues affecting WebKit, the underlying open source browser engine powering Safari, Mail, the App Store, and other Apple and Linux applications. These bugs – 11 in all – have various impacts, from causing the Safari browser to crash, to data disclosure, denial of service and memory corruption.
None of the WebKit issues have been identified as zero-days but WebKit flaws are often sought out by threat actors, particularly nation-state-backed ones indulging in cyber espionage.
Nor is the volume of WebKit fixes was necessarily unusual for an iOS and iPadOS security release, but users should still pay attention, as Josh Stein, vice-president of security strategy at Jamf, a mobile device management (MDM) specialist, pointed out.
“The positive news from Apple is that none of these vulnerabilities have been exploited in the wild. However, this should not delay users from updating their devices to iOS 18.6. Keeping devices up to date with the latest patches is one of the most effective ways to safeguard against attackers,” Stein told Computer Weekly.
If the update has not been downloaded and applied automatically, users can hurry things along by navigating to Settings, General, then Software Update on their Apple devices.
Digital markets
At the same time, the latest updates also incorporate changes specific to the European Union (EU) which enable Apple to remain compliant with the Digital Markets Act.
These include updated App Store terms for developers to communicate and promote offers for end-users and new fees for doing so.
For EU users specifically, the update provides a refreshed experience for using alternative app marketplaces or downloading apps from a developer’s own site.