Google and Apple have rolled out emergency security updates after discovering zero-day vulnerabilities being actively exploited by hackers. The coordinated response points to a sophisticated cyber campaign, potentially involving government-backed actors.
On Wednesday, Google released security patches for several vulnerabilities in its Chrome browser. The company confirmed that one of the bugs was already being exploited by hackers before it could be fixed.
Unusually, Google initially shared no technical details about the flaw or the nature of the attacks.
On Friday, Google updated its advisory, revealing that the vulnerability was discovered by Apple’s security engineering team and Google’s Threat Analysis Group.
This group typically tracks government hackers and mercenary spyware operators.
The disclosure suggests the hacking campaign may have been carried out by state-backed or highly resourced attackers.
Apple confirms sophisticated targeted attacks
At the same time, Apple released security updates for a wide range of products. These include iPhones, iPads, Macs, Apple Watch, Apple TV, Vision Pro, and the Safari browser.
Zero-day bugs fixed
In its advisory for iPhones and iPads, Apple said it patched two security flaws. The company stated it was aware that the issues “may have been exploited in an extremely sophisticated attack against specific targeted individuals” using devices running versions earlier than iOS 26.
This language is typically used by Apple to indicate confirmed zero-day exploitation.
What zero-day attacks mean
Zero-day vulnerabilities are flaws unknown to software makers at the time hackers exploit them. Such attacks often leave users defenseless until a patch is released.
In past cases, similar attacks have involved spyware tools developed by firms such as NSO Group or Paragon Solutions.
These tools have historically been used to spy on journalists, political dissidents, and human rights activists. Apple and Google did not disclose how many users were affected in this latest campaign.
