Apple Withdraws iOS 18 Security Updates
forbes.comWe need to stop viewing these iOS 18 patches as mere "fixes." For sophisticated attackers, these release notes serve as "CVE Feature Catalogs" to weaponize simple human errors.
I’m currently finalizing a detailed forensic report on a real-world incident where I was the target of this exact attack chain. It began with a casual social encounter—a classic shoulder-surfing of my 6-digit passcode—but escalated through the unpatched vulnerabilities I’m now documenting.
As an IT architect, I’ve spent the last few weeks performing a deep-dive into the device logs to understand the "Authorization Gap" that allowed this to happen. What I found is terrifying: a single unpatched CVE combined with a stolen passcode effectively turns an iPhone into an identity-theft kit. Leaving these updates unpatched isn't just a security risk; it’s providing the final components for your own identity’s subversion. I’m sharing this because this isn't theoretical—it’s a systemic failure that is already being exploited.
Apple artificial move to encourage people to upgrade… if they could release security update for older iPhones they can release it for the rest of models…
Absolutely. This reeks.
My iPads on 18.7.3 just yesterday started pushing notifications to upgrade to 26.2 again.
Guess Apple wants to pump up those numbers. If they really cared, if they had an ethical bone in their body, they would release 18.7.3 to the public WHICH THEY ALREADY HAVE STAGED.
This is more like blackmail where they are dangling these security issues over everyone's head as some scare tactic to upgrade, instead of giving everyone access to the iOS 18 security patch which already exists.
>If they really cared, if they had an ethical bone in their body, they would release 18.7.3 to the public WHICH THEY ALREADY HAVE STAGED.
>This is more like blackmail where they are dangling these security issues over everyone's head as some scare tactic to upgrade, instead of giving everyone access to the iOS 18 security patch which already exists.
18.7.3 was released a month ago. Anyone who cared about security updates would have already gotten it using the beta workaround. Anyone who's apathetic about updates isn't going to be swayed by 18.7.3 vs 26.2.
Guess some high up at Apple noticed iOS 26 adoption is low:
Forced obsolescence due to the iOS 26 bloat triggers a forced upgrade cycle.
More iPhone sales! Some VP up there is popping champagne after getting the genius idea to disguise it as a security feature and force it down people's throats.
> CVE-2025-43529 allows threat actors a direct code execution capability, while CVE-2025-14174 provides the much needed sandbox escape and privilege escalation capabilities which makes it devastating
Good news for people wanting to run the code they want on their own devices?
Yep! It's good for jailbreaking, but it's a double edged sword because it's a similar approach that offensive actors use.
Most users lack the domain experience needed to protect and maintain hygiene against threat actors.
you and your friends can both run code on your device!
this assumes your friends are actually a North Korean APT
iOS 18 with glaring, actively-exploited security holes is still better than iOS 26.
This is very bad advice given that this CVE allows DCE.
Unless you are someone with significant security experience (which most HNers don't have), do not roll the dice with out-in-the-wild exploits, especially given how most people rely on their smartphones to a significant degree.
If I'm on 18.7.1, do I still need to upgrade?
https://www.cvedetails.com/version/2021355/Apple-Iphone-Os-1...
seems to be the same as 18.7.2
https://www.cvedetails.com/version/2037518/Apple-Iphone-Os-1...
Most likely. This is a WebKit issue whose patch is only shipped with iOS 26.2 or iOS 18.7.3 (but that's only available to a subset of iPhone and iPadOS devices).
Note the CVEs discussed were patches almost a month ago with iOS 18.7.3. If you used the beta workaround[1] to get that, you're safe and don't have to upgrade to iOS 26... for now.
Odd, I have an iPhone 11 on 18.6.2 and the Software Update page offers me nothing, just says "iOS is up to date".
A few weeks ago it was offering me iOS 26, but not anymore.
OK, I had iOS 18 beta selected. I turned that off and IOS 26.2 magically reappeared as an offering. I guess since 18.7.3 is not going to be offered to me, I must install 26.2.
18.7.3 is no longer available as beta? It was as of a few weeks ago. Public or Developer beta?
A few weeks ago, with 18 Developer Beta selected. 18.7.3 was offered to me. But not now.
I don't know if it still works, but there was a way to get 18.7.3, for devices pushed to "upgrade" to Tahoe by enabling ios 18 beta releases.
They closed that loophole a couple weeks ago. 18.7.3 is no longer available for phones that can run 26.
Jokes on them, I ran android for years, I'm used to no security updates. iOS 18 forever!
I rejected iOS 26 for a while and boy did my opinion on whether Apple forces version changes do a 180. Everything people lambast Windows for was there. Nags with no “no” option, a red notification badge you can’t dismiss, scare dialogs, and disabling unrelated features. This latest slimy behavior is unfortunately quite consistent with how Apple treats disobedient iOS users.
On macOS they still seem to be stopped by firm enough non-consent, but they really try to force you first, and I get the impression they may do worse any year now.
If you’re in the public beta program you’ll already have this update.
> Take this seriously. If your iPhone does not have Apple’s new update, you must install it now. We know attacks on iPhones have started. We have been warned the threat will extend well beyond those highly targeted initial attacks. And hundreds of millions of iPhone users are also now facing down an unwelcome surprise.
It's hard to take this seriously.