cbcvebase.
CVE-2017-2404
published 2017-04-02

CVE-2017-2404: An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Quick Look" component. It allows remote attackers to…

PriorityP271low3.3CVSS 3.1
AVLACLPRNUIRSUCNINAL
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.44%
69.8th percentile
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Quick Look" component. It allows remote attackers to trigger telephone calls to arbitrary numbers via a tel: URL in a PDF document, as exploited in the wild in October 2016.

Affected

2 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os<= 10.2.1

Detection & IOCsextracted from sources · hover to see the quote

urltel:
  • Inspect PDF documents for embedded tel: scheme URIs, which may be used to silently trigger phone calls on unpatched iOS devices without user confirmation.
  • Flag PDF files delivered remotely that contain tel: hyperlinks — particularly those rendered via the iOS Quick Look component — as potentially malicious.
  • This vulnerability was actively exploited in the wild as of October 2016; treat any iOS device below 10.3 rendering PDFs with tel: links as a high-priority incident.
  • ·The vulnerable component is iOS Quick Look's handling of tel: URLs in PDFs. The fix adds a confirmation prompt; detection should focus on pre-patch (iOS < 10.3) devices or PDF delivery vectors that bypass user interaction.

CVSS provenance

nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.