Critical Apple Flaw Exploited in ‘Sophisticated’ Attacks, Company Urges Rapid Patching

Apple is urging users to update their devices immediately after patching a zero-day vulnerability that was exploited in what it described as “extremely sophisticated” attacks against specific individuals.

The flaw, which impacts multiple Apple operating systems, allowed attackers to execute arbitrary code on vulnerable devices.

“An attacker with memory write capability may be able to execute arbitrary code,” Apple said in its security advisory.

What to know about CVE-2026-20700

The vulnerability is tracked as CVE-2026-20700. It affects dyld, which is Apple’s Dynamic Link Editor.

Dyld is a core component responsible for loading and linking executable code across iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. Because dyld operates at a foundational level within the operating system, a flaw in this component carries significant risk.

Apple classified the issue as an arbitrary code-execution vulnerability and warned that an attacker with memory-write capability could exploit it to run malicious code on an affected device.

In practical terms, successful exploitation could allow threat actors to execute payloads with elevated privileges, potentially enabling spyware deployment, data theft, or further privilege escalation as part of a broader attack chain.

Apple confirmed that CVE-2026-20700 was exploited in the same incidents as two previously patched vulnerabilities, CVE-2025-14174 and CVE-2025-43529, suggesting the possibility of exploit chaining. The company also confirmed that all three CVEs were exploited in targeted attacks, but did not elaborate on who was targeted or how they were chained together.

The vulnerability affects a broad range of devices, including iPhone 11 and later models; iPad Pro (3rd generation and later); iPad Air (3rd generation and later); iPad (8th generation and later); iPad mini (5th generation and later); and Mac systems running macOS Tahoe.

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

Reducing mobile endpoint risk

While applying patches is the most immediate priority, organizations should also implement additional controls to reduce exposure and manage risk.

Mobile devices can store sensitive business data and support authentication workflows, which increases their importance in the enterprise environment.

• Patch all affected Apple devices immediately and enforce compliance through MDM with defined rapid patch SLAs.
• Implement conditional access policies that block outdated or unmanaged devices and require device health attestation before granting access to corporate resources.
• Deploy mobile threat defense and endpoint monitoring tools to detect exploit behavior, suspicious configuration changes, and anomalous network activity.
• Harden high-value accounts and devices by enforcing MFA, implementing least-privilege access, and enabling enhanced protections, such as Lockdown Mode, where appropriate.
• Segment mobile access to critical systems using zero-trust principles to limit lateral movement if a device is compromised.
• Audit third-party app permissions and restrict unnecessary privileges, unmanaged browsing, and configuration profile installations to reduce post-exploitation persistence opportunities.
• Regularly test incident response plans through tabletop exercises that include mobile zero-day and targeted attack scenarios.

Apple’s latest zero-day patch reinforces that mobile devices must be managed as Tier 1 enterprise assets within the overall risk program. Even when exploitation is described as targeted, security teams should assume the potential for broader exposure and prioritize rapid remediation.

Enforcing patch SLAs, layered technical controls, and continuous telemetry across mobile endpoints helps reduce operational risk and limit blast radius.

Editor’s note: This article originally appeared on our sister website, eSecurityPlanet.