Apple has started pushing critical software notifications directly to iPhones running outdated versions of iOS — a move that underscores just how seriously the company is treating a wave of actively exploited vulnerabilities that have surfaced in recent months. The alerts, which appear as persistent notifications urging users to update immediately, represent an escalation in Apple’s approach to device security. And they’re arriving on millions of phones whose owners have, for one reason or another, been hitting “Remind Me Later” for far too long.
The campaign isn’t subtle. Users on older iOS versions are receiving push notifications that bypass the usual passive update reminders, flagging specific security risks tied to known exploits. As TechRadar reported, these alerts are tied to patches Apple has already released — meaning the fixes exist, but a significant portion of the iPhone user base simply hasn’t installed them.
That gap between patch availability and patch adoption is the real story here. It’s a problem that haunts every major platform maker, but it carries particular weight for Apple, a company that has built its brand on the promise of security and privacy as default states. When vulnerabilities are being actively exploited in the wild — not theoretical, not proof-of-concept, but weaponized — every unpatched device becomes a live target.
The Vulnerabilities Behind the Warnings
Apple’s urgency traces back to a string of zero-day vulnerabilities disclosed and patched across iOS 17 and iOS 18 updates throughout late 2024 and into 2025. Several of these were reported by Google’s Threat Analysis Group and Amnesty International, entities that typically surface exploits used in targeted surveillance campaigns against journalists, dissidents, and political figures. But the downstream risk doesn’t stop at high-profile targets. Once an exploit is known, it proliferates. Criminal groups adopt techniques originally developed by state-sponsored actors. The attack surface widens.
Among the most significant patches in recent memory: fixes for WebKit vulnerabilities that allowed remote code execution through maliciously crafted web content. A user didn’t need to download anything suspicious or click a phishing link in the traditional sense. Simply visiting a compromised webpage — or having one loaded via an embedded ad — could be enough.
Other patched flaws targeted the kernel itself, granting attackers elevated privileges that could bypass sandboxing protections entirely. The kind of access that lets someone read messages, activate the microphone, or extract credentials. Silently.
Apple’s security release notes, characteristically terse, have repeatedly included the phrase “Apple is aware of a report that this issue may have been actively exploited.” That language, carefully chosen, has appeared with increasing frequency. In 2024, Apple patched more than 20 zero-day vulnerabilities across its platforms, according to tracking by Bleeping Computer. The pace hasn’t slowed in 2025.
So when Apple starts sending aggressive push notifications to users on older iOS builds, it isn’t a marketing exercise. It’s triage.
The mechanics of how these notifications work are worth examining. Apple has long had the ability to push system-level alerts to devices — the same infrastructure used for emergency broadcast alerts and Amber alerts. But using that channel for software update reminders represents a policy shift. Previously, update notifications lived within the Settings app, occasionally surfacing as badges or banners that were easy to dismiss. The new approach is harder to ignore, which is precisely the point.
According to data from analytics firms like Mixpanel, iOS adoption rates for the latest major version typically hover around 70-80% within a few months of release. That sounds high. But Apple has an active installed base of well over a billion iPhones. Twenty to thirty percent of a billion is a staggering number of devices running software with known, exploitable holes.
Some of those users are on older hardware that can’t run the latest iOS. An iPhone 8, for instance, topped out at iOS 16. Apple does backport critical security fixes to older major versions — iOS 16.7.x updates continued well into 2024 — but even those require the user to actually tap “Install.” Many don’t. Some users are on carrier plans that discourage large downloads. Others are simply in the habit of deferring updates because they’ve been burned by performance issues or app compatibility problems in the past. The reasons vary. The risk doesn’t.
A Broader Industry Reckoning With Patch Fatigue
Apple’s aggressive notification push arrives at a moment when the entire technology industry is grappling with what security researchers call “patch fatigue.” Users are bombarded with update prompts across every device they own — phones, laptops, smart TVs, routers, cars. The sheer volume has a numbing effect. Another update. Another restart. Another ten minutes of waiting. People tune it out.
But the threat environment has changed faster than user behavior has adapted. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities catalog that has grown substantially, and Apple products appear on it regularly. CISA has issued binding operational directives requiring federal agencies to patch known exploited vulnerabilities within specific timeframes — sometimes as short as two weeks. If the federal government treats these patches as urgent mandates, the average consumer ignoring them for months is operating with a fundamentally miscalibrated sense of risk.
Google has taken a parallel approach with Android, pushing security patch levels as a visible indicator and working with manufacturers to shorten the delay between patch release and device delivery. But Android’s fragmentation problem — with dozens of manufacturers and carriers controlling update timelines — makes Apple’s comparatively centralized model look efficient. Apple controls the hardware, the software, and the update pipeline. It doesn’t have to negotiate with Samsung or Verizon to get a patch out. That control makes the persistence of unpatched iPhones all the more frustrating from a security standpoint.
Microsoft, for its part, has spent years battling the same dynamic with Windows. The company’s decision to force automatic updates in Windows 10 and 11 was controversial but effective at reducing the patch gap. Apple has an auto-update feature in iOS, but it’s opt-in and doesn’t always trigger promptly. Users who’ve toggled it on may still find themselves days or weeks behind, particularly if their phone doesn’t meet the conditions Apple requires for automatic installation — sufficient battery life, a Wi-Fi connection, and an idle state overnight.
The push notification strategy is, in effect, an acknowledgment that the existing mechanisms aren’t sufficient. A more aggressive intervention was needed.
There’s a business dimension here too. Every high-profile iPhone exploit — every report of a journalist’s device being compromised, every Pegasus-style revelation — chips away at the trust Apple has cultivated. The company’s privacy marketing, from billboard campaigns to Tim Cook’s public statements, has positioned the iPhone as the secure choice. That positioning only holds if users actually run the software that delivers on the promise. An iPhone on iOS 16.3 in mid-2025 isn’t meaningfully more secure than a budget Android phone that hasn’t seen an update in two years. Possibly less so, given the premium Apple devices command as targets.
Apple’s recent moves also coincide with increasing regulatory scrutiny around software security obligations. The European Union’s Cyber Resilience Act, set to take full effect in coming years, will impose requirements on manufacturers to provide security updates and ensure users are informed of vulnerabilities. In the United States, the FCC and FTC have both signaled interest in holding device makers more accountable for the security lifecycle of consumer products. Apple pushing urgent notifications could be read, in part, as proactive compliance with the direction regulation is heading.
For enterprise IT departments, the implications are immediate. Organizations that allow personal iPhones to access corporate email, Slack, or cloud storage through bring-your-own-device policies are exposed every time an employee defers an update. Mobile device management solutions can enforce minimum OS version requirements, but many companies — particularly small and mid-sized businesses — don’t deploy them. The result is a patchwork of device security postures that’s difficult to audit and impossible to guarantee.
What Users Should Actually Do
The practical advice is straightforward, even if the underlying threat is complex. Update your iPhone. Do it now. Go to Settings, then General, then Software Update. If an update is available, install it. Turn on Automatic Updates if you haven’t already — it’s under the same menu. And if your device is too old to receive the latest iOS version, check whether Apple has released a security-specific update for your current major version. They often have.
For users on the iPhone 8 or earlier who are stuck on iOS 16, Apple has continued to issue targeted security patches. iOS 16.7.11, for example, was released specifically to address actively exploited vulnerabilities for users who can’t upgrade to iOS 17 or 18. But those patches won’t arrive forever. At some point, Apple will stop supporting older hardware entirely, and when that happens, the only real mitigation is a new device.
That’s an uncomfortable truth for a company that also markets sustainability and device longevity. But security has a shelf life. Hardware that can’t run current software eventually becomes a liability, no matter how well the physical device still functions.
The broader takeaway from Apple’s notification campaign is that the passive model of software updates — where the vendor makes a patch available and hopes users install it — is breaking down. The threats are too fast, the exploits too consequential, and user inertia too deeply entrenched. Apple is one of the few companies with both the technical capability and the market position to push harder. That it’s now choosing to do so tells you something about the severity of what it’s seeing in its threat intelligence.
Don’t ignore the notification. That’s the message. And for once, it’s not hyperbole.


WebProNews is an iEntry Publication