The tech giant has said it was “aware of a report that this issue may have been actively exploited,” but did not expand on just how many users had been affected. 

Both bugs exist within WebKit, Apple’s browser engine that powers Safari and applications. One bug could be exploited if the device has accessed or processed “maliciously crafted web content [that] may lead to arbitrary code execution.” 

Apple’s support page said that the second bug means malicious actors “may be able to execute arbitrary code with kernel privileges,” which effectively grants full access to the device. 

Security experts are advising users to update any device that could be affected including iPhones from 6S and above, newer iPads, Mac computers using MacOS Monterey, and even some iPod models. 

Who is most at risk?

This kind of bug has been exploited in the past by nation-state spyware, first breaking into the device’s web browser in order to gain control of the whole operating system and accessing sensitive data. 

Rachel Tobac, CEO of SocialProof Security, tweeted that those who are most at risk of getting hacked are those in the public eye, such as activists or journalists who might be the targets of sophisticated nation-state spying. 

The news comes as Apple is due to launch the new iPhone 14 on Sept. 7. 

Apple did not immediately respond to requests for comment.