Urgent: update your iPhone or iPad to iOS 26.2 right now. This isn’t hyperbole. SingCert under the Cyber Security Agency of Singapore (CSA) has flagged real-world exploitation of flaws that Apple has just patched. Apple released iOS 26.2 on December 12 to address more than 20 security issues — two of them already weaponised in targeted attacks. If you own a device on the affected list, delaying this update is inviting risk.
What happened and why it matters
Apple’s advisory and SingCert’s Dec 14 alert are clear: attackers used vulnerabilities in WebKit, the browser engine behind Safari and many iPhone browsers, to deliver malicious code and cause memory corruption. The two tracked weaknesses — CVE-2025-43529 and CVE-2025-14174 — let an attacker execute code remotely or corrupt memory simply by presenting a user with crafted web content.
Devices affected include a wide range of models: iPhone 11 and later, iPad Pro 12.9-inch (3rd gen and later), iPad Pro 11-inch (1st gen and later), iPad Air (3rd gen and later), iPad (8th gen and later), and iPad mini (5th gen and later). Apple warned users in roughly 150 countries that certain devices were being targeted by spyware — that’s not theoretical; that’s a direct threat.
“WebKit sits at the intersection of web content and the operating system. That makes it a valuable attack surface for adversaries seeking to compromise iOS devices,” said Darren Guccione, co-founder of Keeper Security.
A personal note — why I care so much
I work closely with small businesses in Singapore, and I still remember the panic last month when a boutique retailer turned up at my office after a routine payment failed. Their staff had been using a shared iPad for orders and didn’t update the OS for months. We patched the device, changed credentials, and tightened access controls. That day felt avoidable. It also felt personal: when a business owner looks at me and says, “We trusted this device to run the shop,” I feel outraged at how preventable many of these breaches are.
This new iOS update is not optional paperwork. It patches vulnerabilities that let attackers view hidden photo albums, extract payment tokens, and even access password fields while remotely controlling a device over FaceTime. Put bluntly: your private photos, payment data, and passwords are on the line.
Concrete steps to take right now
- Update immediately: Go to Settings › General › Software Update and install iOS 26.2. If you manage many devices, deploy the update through your device management system or tell staff to update within hours, not days.
- Enable automatic updates: Turn on automatic iOS updates so devices receive patches as soon as Apple releases them.
- Back up first: Use iCloud or a secure local backup before major updates. Rare issues happen; backups keep you safe.
- Review device access: Audit who has admin or shared access to company devices. Remove unused accounts and enforce unique passcodes.
- Strengthen authentication: Use strong, unique passwords and enable multi-factor authentication (MFA) everywhere possible. MFA is a blunt instrument against account takeover.
- Train staff: Teach people to recognise phishing, suspicious links, and unexpected prompts. Social engineering remains the most effective tool for attackers.
Why you must act fast
Once a vendor issues a patch, details of the vulnerability often become public quickly. That means attackers get a ready-made roadmap. As Mr. Guccione warned, “The longer users wait, the greater the risk.” If your devices remain unpatched, you’re a soft target on a timetable you do not control.
Think about the cost beyond money: reputational damage, the time spent recovering accounts, the sleepless nights for owners who realise customer data was exposed. Those consequences compound when fixes are neglected. A simple update today can prevent a crisis tomorrow.
What to watch for after updating
Updating reduces the immediate threat, but vigilance must continue. Monitor for unusual behaviour: battery drains, unexplained data usage, unknown apps, or logins from unfamiliar locations. If you suspect compromise, change passwords from a trusted device and perform a full device check or factory reset where necessary.
Also review privacy settings and app permissions. Confirm that sensitive fields — like password autofill and payment token storage — are protected. These are the places attackers aim for after an initial foothold.
Final call to action
Don’t wait for a notification that your device has been targeted. Take control by updating to iOS 26.2 now. Make automatic updates the default across your organisation. Teach your teams to spot tricks, use MFA, and pick passwords that aren’t recycled from a decade of breaches. Every patch closes a door that bad actors are actively trying to open.
If you need a quick checklist to hand to staff or clients, download one, pin it in the office, and make updating a non-negotiable part of device onboarding. Practical steps taken today save headaches, money and trust tomorrow. Your devices are not invincible — but a prompt update makes a world of difference.