iOS 18.7.7 macOS 15.7.5 Security Update Guide for Older Devices

Apple's iOS 18.x and macOS Sequoia 15.x point-release series includes a WebKit flaw that Apple confirmed may have been used in a targeted attack against specific individuals, plus kernel correctness failures and a cluster of crash-class browser bugs documented through iOS 18.7.3 and macOS Sequoia 15.7. If your device version starts with 18 or 15, a visible numbered update is the only way to get any of those fixes. Users on iOS 26.x may already be covered for the most recent WebKit patch without knowing it.

Two things to establish upfront. The research supporting this article covers iOS 18.7, 18.7.2, 18.7.3, and macOS Sequoia 15.7 and 15.3.2. The headline uses the search terms iOS 18.7.7 and macOS 15.7.5 because that is what many users will type. The security guidance here applies across the 18.x and 15.x branches, not those exact point versions.

Quick reference: which branch are you on?

Check before reading further.

• iPhone or iPad: Settings > General > About
• Mac: Apple menu > About This Mac

A version number starting with 18 or 15 means you are on the older branch. Numbered updates are the only path to these fixes. Background Security Improvements does not apply to you.

A version number starting with 26 means you are on the current branch and may already be covered for recent WebKit fixes, though manual verification is still worth doing.

What the iOS 18.x and macOS 15.x security updates are fixing

WebKit is Apple's web rendering engine. It powers Safari, Mail, and the App Store on every Apple platform, and on iOS it is the only rendering engine any browser is allowed to use, which means Chrome, Firefox, and every other iOS browser carries the same exposure as Safari when a WebKit flaw surfaces. That is why WebKit patches show up in Apple security bulletins with such regularity, and why they matter even if you do not use Safari.

Apple's iOS 18.7 bulletin, released in September 2025 and updated in November 2025, covered three categories of fixes, per Apple Support. A parallel macOS Sequoia 15.7 bulletin was released the same day, per Apple Support, though the detailed fix breakdown in the research data is on the iOS side.

Two fixes were at the kernel level. One corrected a state-management flaw: a UDP server socket bound to a local interface could end up binding to all interfaces, a meaningful network exposure. The second addressed a correctness gap that allowed an app to access sensitive user data it was not authorized to reach. Neither of these is a memory leak in the conventional sense, but both represent real failures in OS-level isolation.

The third fix was in WebKit. A caching flaw let a website silently access sensor data, specifically accelerometers and gyroscopes, without asking for user permission. Apple resolved it through improved cache handling, according to the same bulletin.

Subsequent point releases pushed further WebKit patches. CVE-2025-43438, fixed in iOS 18.7.2 and Safari 26.1, was a use-after-free flaw that could cause Safari to crash on maliciously crafted web content, per Tenable. CVE-2025-43535, fixed in iOS 18.7.3, involved similar memory-handling improvements against crafted content that could crash a browser process, per Tenable. Both carry a CVSS 3.1 score of 4.3 and near-zero EPSS exploitation probability scores. Disruptive if triggered. Not a meaningful threat to most users.

The fix that warrants genuine urgency: CVE-2025-43529

CVE-2025-43529 is a different situation entirely. Also fixed in iOS 18.7.3 and Safari 26.2, it was a use-after-free flaw that could allow malicious web content to execute arbitrary code. Apple stated it is aware of a report that the issue may have been exploited in an extremely sophisticated attack against specific targeted individuals running iOS versions prior to iOS 26, per Tenable's disclosure. Its CVSS 3.1 score is 8.8. A companion CVE, CVE-2025-14174, was issued in response to the same report.

One scoring note worth understanding: CVE-2025-43535 carries a legacy CVSS v2 score of 10, which looks alarming next to CVE-2025-43529's v2 score of also 10. The modern CVSS 3.1 scores tell a different story: 4.3 versus 8.8. The older model inflates browser-crash bugs significantly. CVSS 3.1 is the reliable signal here.

For additional context, not as part of this point-release cluster but as a pattern: a year ago, CISA issued an advisory after Apple confirmed CVE-2025-24201, an out-of-bounds write flaw, had been used against specific targets running iOS versions prior to 17.2. That flaw could allow an attacker to escape the web content sandbox entirely, enabling remote code execution or spyware installation across iPhones, iPads, Macs, and Apple Vision Pro. Apple patched it in iOS 18.3.2 and macOS Sequoia 15.3.2, per Varutra's summary of the CISA alert.

The practical split: most users looking at a WebKit patch notice are looking at crash-prevention maintenance. CVE-2025-43529 is the exception. If you are a journalist, executive, lawyer, activist, or anyone else who might plausibly be a surveillance target, that one demands prompt attention. If you are already on iOS 18.7.3 or later, you have the fix. If not, that is the specific reason not to wait.

Who cannot use Background Security Improvements and why that matters

Apple's Background Security Improvements system, exclusive to the 26.x branch, can deliver lightweight WebKit patches on top of an existing release without incrementing the full OS version number. On iOS 18.x and macOS 15.x, that mechanism does not exist. Numbered updates are the only option, Malwarebytes confirmed this week.

Enterprise fleets that delay major OS upgrades for compatibility testing face a specific gap here. On the 26.x branch, some WebKit fixes can arrive silently without any user action. On the 18.x and 15.x branches, protection depends entirely on update prompts reaching managed devices and those prompts being acted on. Fleet administrators should cross-reference current device OS versions against Apple's published security bulletins, checking numbered installs on 18.x and 15.x devices against the latest documented point releases, rather than assuming prompts completed successfully across the fleet.

How Apple delivers patches on the 26.x branch

Apple introduced Background Security Improvements as a redesigned version of the Rapid Security Responses it deployed briefly in 2023. The original system modified Safari's version string in a way that caused Facebook and Instagram to serve mobile layouts to desktop users instead of the full site. Apple pulled those updates, reissued them, then issued no further Rapid Security Responses through the next two full OS cycles before relaunching the mechanism under its new name, starting with iOS 26.1, iPadOS 26.1, and macOS Tahoe 26.1, TidBITS reported. This time, only Safari's internal build number changes, which avoids triggering the browser-detection logic that caused the original problem.

This week, Apple used the system publicly for the first time, delivering a patch for CVE-2026-20643, a WebKit Navigation API flaw that could allow malicious web content to bypass the same-origin policy, the browser boundary preventing one site's scripts from reading data on another. It installed on top of existing 26.3.1 and 26.3.2 releases without a full OS update, as TidBITS confirmed.

The automatic installation timing is not publicly documented by Apple. Users can verify or manually trigger the update under Settings > Privacy & Security > Background Security Improvements on iPhone and iPad, or System Settings on Mac. After installation, the version number displays with a parenthetical letter: 26.3.1 (a), for example, according to Malwarebytes and TidBITS.

For IT administrators, that is where a compliance gap opens. A device protected by a Background Security Improvement shows no version-number change in the traditional sense. That is fine for individual users. For fleet compliance tracking, a silently patched device with a parenthetical suffix instead of a new version number is worth building into verification workflows before it becomes a problem.

What to do now

On iOS 18.x or macOS 15.x: Install the latest available numbered point release. The series through iOS 18.7.3 includes CVE-2025-43529, a confirmed targeted-exploitation case with a CVSS 3.1 score of 8.8, alongside the kernel correctness fixes and lower-severity WebKit crash bugs. CISA separately flagged CVE-2025-24201 as actively exploited a year ago, patched in iOS 18.3.2 and macOS Sequoia 15.3.2, per Tenable and Varutra's CISA summary. The short version: at least one documented WebKit flaw in this series may have been used in a targeted attack. Install the update.

On iOS 26.x or macOS Tahoe 26.x: Check Privacy & Security settings to confirm Background Security Improvements is enabled and that the version suffix shows the parenthetical letter. Apple considered CVE-2026-20643 important enough to ship outside a regular release cycle even with iOS 26.4 approaching, per TidBITS.

WebKit has been a recurring attack surface across Apple's platform for over a year. Crash-class bugs in consecutive point releases, with occasional high-severity exceptions, is the maintenance pattern now, not an anomaly, as CVE-2025-43438 and CVE-2025-43535 both confirmed this month.

As Background Security Improvements matures, the gap between branches will widen. Older-branch users face more friction staying current; 26.x users receive patches with no action required. For anyone managing a fleet spanning both generations, that asymmetry is worth building into compliance workflows now, before the next high-severity WebKit fix ships and the gap becomes a liability.