CVE-2023-32434
published 2023-06-23CVE-2023-32434: An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 9.5.2, macOS Big Sur 11.7.8, iOS 15.7.7 and iPadOS 15.7.7…
PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-07-14
Exploited in the wild
EPSS
51.52%
98.8th percentile
An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 9.5.2, macOS Big Sur 11.7.8, iOS 15.7.7 and iPadOS 15.7.7, macOS Monterey 12.6.7, watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_15.7.7_and_ipados | — | — |
| apple | ios_15.8_and_ipados | — | — |
| apple | ios_16.5.1_and_ipados | — | — |
| apple | ios_and_ipados | >= unspecified < 15.7 | 15.7 |
| apple | ios_and_ipados | >= unspecified < 16.5 | 16.5 |
| apple | ipados | < 15.7.7 | 15.7.7 |
| apple | ipados | >= 16.0 < 16.5.1 | 16.5.1 |
| apple | iphone_os | < 15.7.7 | 15.7.7 |
| apple | iphone_os | >= 16.0 < 16.5.1 | 16.5.1 |
| apple | macos | >= 11.0 < 11.7.8 | 11.7.8 |
| apple | macos | >= 12.0.0 < 12.6.7 | 12.6.7 |
| apple | macos | >= 13.0 < 13.4.1 | 13.4.1 |
| apple | macos | >= unspecified < 12.6 | 12.6 |
| apple | macos | >= unspecified < 13.4 | 13.4 |
| apple | macos | >= unspecified < 11.7 | 11.7 |
| apple | macos_big_sur | — | — |
| apple | macos_monterey | — | — |
| apple | macos_ventura | — | — |
| apple | watchos | < 8.8.1 | 8.8.1 |
| apple | watchos | — | — |
| apple | watchos | — | — |
| apple | watchos | >= 9.0 < 9.5.2 | 9.5.2 |
| apple | watchos | >= unspecified < 8.8 | 8.8 |
| apple | watchos | >= unspecified < 9.5 | 9.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Check iOS device backups for modification of empty SMS attachment directories followed immediately by BackupAgent network activity — this pattern indicates malicious attachment delivery and deletion. ↗
- →Analyze the shutdown.log file inside the sysdiagnose archive (located at \system_logs.logarchive\Extra) for infection artifacts — this is a lightweight, minimally intrusive method to detect iOS malware including Triangulation. ↗
- →Post-exploitation, the IMAgent process is launched with an injected payload to clear exploitation artifacts — unexpected IMAgent execution or injection should be flagged. ↗
- →The attack delivers a zero-click iMessage attachment exploiting CVE-2023-41990 (ADJUST TrueType font instruction RCE) — monitor for anomalous iMessage attachment processing with no user interaction. ↗
- ·All C2 communications occurred over HTTPS, preventing plaintext traffic inspection — network-level detection is limited to domain/IP reputation without SSL inspection. ↗
- ·iOS SSL pinning for Apple services (including iMessage) prevents MITM interception even with a trusted root certificate installed, limiting traffic-based detection of the initial exploit delivery. ↗
- ·The JS validator implements its own NaCl public-key encryption layer on top of HTTPS for C2 communications, meaning even with SSL inspection the payload content remains encrypted without the ephemeral private key. ↗
- ·The exploit actively clears artifacts post-exploitation via IMAgent injection, reducing forensic evidence available in device backups or file system analysis. ↗
- ·Forensic acquisition tools based on checkra1n did not work for modern processors running iOS 15 and 16 at the time of research, limiting full device imaging for newer devices. ↗
- ·The unknown MMIO hardware registers exploited via CVE-2023-38606 are not listed in the Apple DeviceTree, making firmware-level detection of their abuse difficult without specialized hardware analysis. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4pvh-jrgh-mpvj: An integer overflow was addressed with improved input validation
ghsa_unreviewed·2023-06-23
CVE-2023-32434 [HIGH] CWE-190 GHSA-4pvh-jrgh-mpvj: An integer overflow was addressed with improved input validation
An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Big Sur 11.7.8, macOS Monterey 12.6.7, macOS Ventura 13.4.1, watchOS 9.5.2. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
VulnCheck
Apple Multiple Products Integer Overflow Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-32434 [HIGH] CWE-190 Apple Multiple Products Integer Overflow Vulnerability
Apple Multiple Products Integer Overflow Vulnerability
Apple iOS. iPadOS, macOS, and watchOS contain an integer overflow vulnerability that could allow an application to execute code with kernel privileges.
Affected: Apple Multiple Products
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.apple.com/kb/HT213808; https://support.apple.com/kb/HT213809; https://support.apple.com/kb/HT213810; https://support.apple.com/kb/HT213811; https://support.apple.com/kb/HT213812; https://support.apple.com/kb/HT213813; https://support.apple.com/kb/HT213814; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://support.apple.com/
Apple
CVE-2023-32434: iOS 15.8 and iPadOS 15.8
vendor_apple·2023-10-25·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: iOS 15.8 and iPadOS 15.8
Apple Security Update: About the security content of iOS 15.8 and iPadOS 15.8
Product: iOS 15.8 and iPadOS
Version: 15.8
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
CISA
Apple Multiple Products Integer Overflow Vulnerability
cisa·2023-06-23·CVSS 7.8
CVE-2023-32434 [HIGH] CWE-190 Apple Multiple Products Integer Overflow Vulnerability
Vulnerability: Apple Multiple Products Integer Overflow Vulnerability
Affected: Apple Multiple Products
Apple iOS. iPadOS, macOS, and watchOS contain an integer overflow vulnerability that could allow an application to execute code with kernel privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://support.apple.com/en-us/HT213808, https://support.apple.com/en-us/HT213812, https://support.apple.com/en-us/HT213809, https://support.apple.com/en-us/HT213810, https://support.apple.com/en-us/HT213813, https://support.apple.com/en-us/HT213811, https://support.apple.com/en-us/HT213814; https://nvd.nist.gov/vuln/detail/CVE-2023-32434
Remediation Due Date: 2023-07-14
Apple
CVE-2023-32434: macOS Monterey 12.6.7
vendor_apple·2023-06-21·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: macOS Monterey 12.6.7
Apple Security Update: About the security content of macOS Monterey 12.6.7
Product: macOS Monterey
Version: 12.6.7
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
Apple
CVE-2023-32434: macOS Big Sur 11.7.8
vendor_apple·2023-06-21·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: macOS Big Sur 11.7.8
Apple Security Update: About the security content of macOS Big Sur 11.7.8
Product: macOS Big Sur
Version: 11.7.8
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
Apple
CVE-2023-32434: iOS 16.5.1 and iPadOS 16.5.1
vendor_apple·2023-06-21·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: iOS 16.5.1 and iPadOS 16.5.1
Apple Security Update: About the security content of iOS 16.5.1 and iPadOS 16.5.1
Product: iOS 16.5.1 and iPadOS
Version: 16.5.1
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
Apple
CVE-2023-32434: watchOS 8.8.1
vendor_apple·2023-06-21·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: watchOS 8.8.1
Apple Security Update: About the security content of watchOS 8.8.1
Product: watchOS
Version: 8.8.1
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
Apple
CVE-2023-32434: macOS Ventura 13.4.1
vendor_apple·2023-06-21·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: macOS Ventura 13.4.1
Apple Security Update: About the security content of macOS Ventura 13.4.1
Product: macOS Ventura
Version: 13.4.1
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
Apple
CVE-2023-32434: watchOS 9.5.2
vendor_apple·2023-06-21·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: watchOS 9.5.2
Apple Security Update: About the security content of watchOS 9.5.2
Product: watchOS
Version: 9.5.2
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
Apple
CVE-2023-32434: iOS 15.7.7 and iPadOS 15.7.7
vendor_apple·2023-06-21·CVSS 7.8
CVE-2023-32434 [HIGH] CVE-2023-32434: iOS 15.7.7 and iPadOS 15.7.7
Apple Security Update: About the security content of iOS 15.7.7 and iPadOS 15.7.7
Product: iOS 15.7.7 and iPadOS
Version: 15.7.7
CVE: CVE-2023-32434
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
No detection rules found.
No public exploits indexed.
Securelist
Coruna: the framework used in Operation Triangulation
blogs_securelist·2026-03-26·CVSS 7.8
[HIGH] Coruna: the framework used in Operation Triangulation
Boris Larin
Table of Contents
Introduction
Technical details
Safari
Payload
Kernel exploits
Launcher
Conclusions
Authors
Boris Larin
## Introduction
On March 4, 2026, Google and iVerify published reports about a highly sophisticated exploit kit targeting Apple iPhone devices. According to Google, the exploit kit was first discovered in targeted attacks conducted by a customer of an unnamed surveillance vendor. It was later used by other attackers in watering-hole attacks in Ukraine and in financially motivated attacks in China. Additionally, researchers discovered an instance with the debug version of the exploit kit, which revealed the internal names of the exploits and the framework name used by its developers — Coruna. Analysis of the kit showed that it relies on the exploit
Bleepingcomputer
Coruna iOS exploit framework linked to Triangulation attacks
blogs_bleepingcomputer·2026-03-26·CVSS 7.8
[HIGH] Coruna iOS exploit framework linked to Triangulation attacks
## Coruna iOS exploit framework linked to Triangulation attacks
## Bill Toulas
After analyzing the exploit code for the two security issues, Kaspersky researchers determined that Coruna ran an updated version of the exploit used in Operation Triangulation that had started since 2019.
Additional code similarities led to the conclusion that the kit is the successor to the malicious framework leveraged in the Triangulation campaign that also targeted iPhones on Kaspersky's network .
“During our analysis we’ve discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that was used in Operation Triangulation,” the researchers say in a report today.
Kaspersky's analysis shows that the attack be
Hackernews
Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks
blogs_hackernews·2026-03-26·CVSS 7.8
[HIGH] Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks
The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
"When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared vulnerabilities alone don't prove shared authorship," Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in a statement.
"Coruna is no
Bleepingcomputer
Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
blogs_bleepingcomputer·2025-03-11·CVSS 7.8
CVE-2025-24201 [HIGH] Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
## Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
## Sergiu Gatlan
Apple said attackers can exploit the CVE-2025-24201 vulnerability using maliciously crafted web content to break out of the Web Content sandbox.
The company has fixed this out-of-bounds write issue with improved checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2 , macOS Sequoia 15.3.2 , visionOS 2.3.2 , and Safari 18.3.1 .
The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including:
iPhone XS and later,
iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Macs
Bleepingcomputer
Apple fixes zero-day exploited in 'extremely sophisticated' attacks
blogs_bleepingcomputer·2025-02-10·CVSS 7.8
[HIGH] Apple fixes zero-day exploited in 'extremely sophisticated' attacks
## Apple fixes zero-day exploited in 'extremely sophisticated' attacks
## Sergiu Gatlan
USB Restricted Mode is a security feature ( introduced almost seven years ago in iOS 11.4.1) that blocks USB accessories from creating a data connection if the device has been locked for over an hour. This feature is designed to block forensic software like Graykey and Cellebrite (commonly used by law enforcement) from extracting data from locked iOS devices.
In November, Apple introduced another security feature (dubbed "inactivity reboot") that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software.
The zero-day vulnerability (tracked as CVE-2025-24200 and reported by Citizen Lab's Bill Marczak) patched today by Apple is an author
Bleepingcomputer
Apple fixes this year’s first actively exploited zero-day bug
blogs_bleepingcomputer·2025-01-27·CVSS 6.5
CVE-2024-23222 [MEDIUM] Apple fixes this year’s first actively exploited zero-day bug
## Apple fixes this year’s first actively exploited zero-day bug
## Sergiu Gatlan
According to the company's official documentation , Core Media "defines the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms."
Apple has fixed CVE-2024-23222 with improved memory management in iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3.
The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including:
iPhone XS and later,
iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
macOS Sequoia
Apple Watch Ser
Bleepingcomputer
Apple fixes two zero-days used in attacks on Intel-based Macs
blogs_bleepingcomputer·2024-11-19·CVSS 8.8
CVE-2024-44308 [HIGH] Apple fixes two zero-days used in attacks on Intel-based Macs
## Apple fixes two zero-days used in attacks on Intel-based Macs
## Lawrence Abrams
The JavaScriptCore CVE-2024-44308 flaw allows attackers to achieve remote code execution through maliciously crafted web content. The other flaw, CVE-2024-44309, allows cross-site scripting (CSS) attacks.
The company says it addressed the security flaws in macOS Sequoia 15.1.1 .
As the same components are found in other Apple operating systems, it was also fixed in iOS 17.7.2 and iPadOS 17.7.2 , iOS 18.1.1 and iPadOS 18.1.1 , and visionOS 2.1.1 .
While Apple says both flaws were discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group, the company has not provided further details on how they were exploited.
BleepingComputer contacted Google to learn how the flaws were exploite
Securelist
IT threat evolution Q1 2024
blogs_securelist·2024-06-03·CVSS 7.8
[HIGH] IT threat evolution Q1 2024
Table of Contents
Targeted attacks
Operation Triangulation: the final mystery
A lightweight method for detecting potential iOS malware
DinodasRAT Linux implant targeting entities worldwide
Other malware
New macOS backdoor stealing crypto wallets
Coyote: a multi-stage banking Trojan
Network tunneling with … QEMU
Authors
David Emm
IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics
## Targeted attacks
## Operation Triangulation: the final mystery
Last June, we published a series of reports on Operation Triangulation , a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to browse and modify device files, get passwords and credentials stored in the
Securelist
Malware report Q1 2024 – quarter review
blogs_securelist·2024-06-03·CVSS 7.8
[HIGH] Malware report Q1 2024 – quarter review
Table of Contents
- Targeted attacks
- Other malware
Authors
- David Emm
IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics
## Targeted attacks
### Operation Triangulation: the final mystery
Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information and execute additional modules that extended their control over compromised devices.
In late December, in a presentation at the 37th Chaos Communication Congress (37C3), experts from our Global Research and Analysis T
Bleepingcomputer
Apple fixes first zero-day bug exploited in attacks this year
blogs_bleepingcomputer·2024-01-22·CVSS 8.8
[HIGH] Apple fixes first zero-day bug exploited in attacks this year
## Apple fixes first zero-day bug exploited in attacks this year
## Sergiu Gatlan
"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited," Apple said today.
The company has yet to attribute the discovery of this security vulnerability to a security researcher. Although the company disclosed that it's aware of in-the-wild exploitation, it has yet to publish further details regarding these attacks.
Apple addressed CVE-2024-23222 with improved checks in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and higher, as well as on tvOS 17.3 and later.
The complete list of devices impacted by this WebKit zero-day is quite extensive, as the bug affects older and newer models, i
Sentinelone
Protecting macOS | 7 Strategies for Enterprise Security in 2024
blogs_sentinelone·2024-01-02
Protecting macOS | 7 Strategies for Enterprise Security in 2024
Welcome to 2024! It may be a new year for us all, but it’s very much business as usual for cybersecurity professionals. Last year saw an increase in the number and variety of new threats targeting the macOS platform, and as the influence of the Mac continues to expand in enterprise environments, there is little doubt that 2024 will continue that trend.
In this post, we reflect on the lessons we can learn from the last 12 months of threat activity against Apple’s desktop operating system, and offer 7 strategies for defenders to help bolster their threat hunting, detection and mitigation efforts .
## 1. Don’t Rely on Persistence for Detection
Perhaps the most important lesson that defenders learned from 2023’s crop of macOS malware was that monitoring for persistence methods became a much
Sentinelone
Protecting macOS | 7 Strategies for Enterprise Security in 2024
blogs_sentinelone·2024-01-02
Protecting macOS | 7 Strategies for Enterprise Security in 2024
Welcome to 2024! It may be a new year for us all, but it’s very much business as usual for cybersecurity professionals. Last year saw an increase in the number and variety of new threats targeting the macOS platform, and as the influence of the Mac continues to expand in enterprise environments, there is little doubt that 2024 will continue that trend.
In this post, we reflect on the lessons we can learn from the last 12 months of threat activity against Apple’s desktop operating system, and offer 7 strategies for defenders to help bolster their threat hunting, detection and mitigation efforts.
## 1. Don’t Rely on Persistence for Detection
Perhaps the most important lesson that defenders learned from 2023’s crop of macOS malware was that monitoring for persistence methods became a much
Bleepingcomputer
The biggest cybersecurity and cyberattack stories of 2023
blogs_bleepingcomputer·2024-01-01
The biggest cybersecurity and cyberattack stories of 2023
## The biggest cybersecurity and cyberattack stories of 2023
## Lawrence Abrams
2023 was a big year for cybersecurity, with significant cyberattacks, data breaches, new threat groups emerging, and, of course, zero-day vulnerabilities.
Some stories, though, were more impactful or popular with our 22 million readers than others.
Below are fourteen of what BleepingComputer believes are the most impactful cybersecurity stories of 2023, with a summary of each.
## 14. The 23andMe data breach
Genetic testing provider 23andMe suffered credential stuffing attacks that led to a major data breach, exposing the data of 6.9 million users.
The company states that the attackers only breached a small number of accounts during the credential-stuffing attacks. However, the threat actors were able to
Securelist
Operation Triangulation: The last (hardware) mystery
blogs_securelist·2023-12-27·CVSS 5.5
CVE-2023-38606 [MEDIUM] Operation Triangulation: The last (hardware) mystery
Table of Contents
Operation Triangulation’ attack chain
The mystery and the CVE-2023-38606 vulnerability
Technical details
Conclusion
Update 2024-01-09
Authors
Boris Larin
UPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT&CK framework.
Today, on December 27, 2023, we ( Boris Larin , Leonid Bezvershenko , and Georgy Kucherin ) delivered a presentation, titled, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held at Congress Center Hamburg. The presentation summarized the results of our long-term research into Operation Triangulation, conducted with our colleagues, Igor Kuznetsov , Valentin Pashkov , and Mikhail Vinogradov .
This presentation was also the first time we had
Securelist
Operation Triangulation: The last (hardware) mystery
blogs_securelist·2023-12-27·CVSS 5.5
CVE-2023-38606 [MEDIUM] Operation Triangulation: The last (hardware) mystery
Table of Contents
- Operation Triangulation’ attack chain
- The mystery and the CVE-2023-38606 vulnerability
- Technical details
- Conclusion
- Update 2024-01-09
Authors
- Boris Larin
UPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT&CK framework.
Today, on December 27, 2023, we (Boris Larin, Leonid Bezvershenko, and Georgy Kucherin) delivered a presentation, titled, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held at Congress Center Hamburg. The presentation summarized the results of our long-term research into Operation Triangulation, conducted with our colleagues, Igor Kuznetsov, Valentin Pashkov, and Mikhail Vinogradov.
This presentation was also the first time we h
Bleepingcomputer
iPhone Triangulation attack abused undocumented hardware feature
blogs_bleepingcomputer·2023-12-27·CVSS 7.8
CVE-2023-38606 [HIGH] iPhone Triangulation attack abused undocumented hardware feature
## iPhone Triangulation attack abused undocumented hardware feature
## Bill Toulas
## Highly sophisticated attacks
Of the above flaws, CVE-2023-38606, which was addressed on July 24, 2023, with the release of iOS/iPadOS 16.6 , is the most intriguing for Kaspersky's analysts.
Exploiting the flaw allows an attacker to bypass hardware protection on Apple chips that prevent attackers from obtaining complete control over the device when they gain read and write access to the kernel memory, which was achieved using the separate CVE-2023-32434 flaw.
In the deep-dive technical writeup, Kaspersky explains that CVE-2023-38606 targets unknown MMIO (memory-mapped I/O) registers in Apple A12-A16 Bionic processors, likely linked to the chip's GPU co-processor, which are not listed in the DeviceTree
Bleepingcomputer
Apple emergency updates fix recent zero-days on older iPhones
blogs_bleepingcomputer·2023-12-11·CVSS 6.5
[MEDIUM] Apple emergency updates fix recent zero-days on older iPhones
## Apple emergency updates fix recent zero-days on older iPhones
## Sergiu Gatlan
They can let attackers obtain access to sensitive data through and execute arbitrary code using maliciously crafted webpages designed to exploit out-of-bounds and memory corruption bugs on unpatched devices.
Today, Apple addressed the zero-days in iOS 16.7.3, iPadOS 16.7.3 , tvOS 17.2 , and watchOS 10.2 with improved input validation and locking.
The company says the bugs are now also patched on the following list of devices:
iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Apple TV HD and Apple TV 4K (all models)
Apple Watch Series 4 and later
Clément Lecigne, a security researcher from Google's Threat
Bleepingcomputer
Apple fixes two new iOS zero-days in emergency updates
blogs_bleepingcomputer·2023-11-30·CVSS 8.6
[HIGH] Apple fixes two new iOS zero-days in emergency updates
## Apple fixes two new iOS zero-days in emergency updates
## Sergiu Gatlan
The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2 , macOS Sonoma 14.1.2 , and Safari 17.1.2 with improved input validation and locking.
The list of impacted Apple devices is quite extensive, and it includes:
iPhone XS and later
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Macs running macOS Monterey, Ventura, Sonoma
Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) found and reported both zero-days.
While Apple has not released information regarding ongoing exploitation in
Checkpoint
30th October – Threat Intelligence Report
blogs_checkpoint·2023-10-30
CVE-2023-32434 30th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 30th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 30th October, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Stanford University has been a victim of cyber-attack that affected the systems of its Department of Public Safety (SUDPS). Akira ransomware gang claimed responsibility for the attack, which allegedly resulted in the exposure of 430GB of university’s data.
Check Point Harmony End Point and Threat Emulation provides prote
Securelist
How Kaspersky obtained all stages of Operation Triangulation
blogs_securelist·2023-10-26
How Kaspersky obtained all stages of Operation Triangulation
Table of Contents
- First steps
- Device imaging
- Examining backups
- Trying to intercept the malicious iMessage
- Good old MITM
- Catching the JavaScript validator
- The binary validator and the hint about the attachment
- Exploring iMessage
- Getting the implant
- Obtaining the modules
- Conclusion
Authors
- Leonid Bezvershenko
- Georgy Kucherin
- Igor Kuznetsov
- Boris Larin
- Valentin Pashkov
UPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT&CK framework.
In the beginning of 2023, thanks to our Kaspersky Unified Monitoring and Analysis Platform (KUMA) SIEM system, we noticed suspicious network activity that turned out to be an ongoing attack targeting the iPhones and iPads of our colleagues. The moment we understood that there was a clear patter
Bleepingcomputer
Apple fixes iOS Kernel zero-day vulnerability on older iPhones
blogs_bleepingcomputer·2023-10-12·CVSS 7.8
CVE-2023-5217 [HIGH] Apple fixes iOS Kernel zero-day vulnerability on older iPhones
## Apple fixes iOS Kernel zero-day vulnerability on older iPhones
## Sergiu Gatlan
Apple has now also fixed the issue in iOS 16.7.1 and iPadOS 16.7.1 with improved checks, but it has yet to reveal who discovered and reported the flaw.
The second one, a bug identified as CVE-2023-5217, is caused by a heap buffer overflow vulnerability within the VP8 encoding of the open-source libvpx video codec library. This flaw could let threat actors gain arbitrary code execution upon successful exploitation.
Even though Apple did not confirm any instances of exploitation in the wild, Google previously patched the libvpx bug as a zero-day in its Chrome web browser. Microsoft also addressed the same vulnerability in its Edge, Teams, and Skype products.
Google attributed the discovery of CVE-2023-521
Bleepingcomputer
Apple emergency update fixes new zero-day used to hack iPhones
blogs_bleepingcomputer·2023-10-04·CVSS 7.8
[HIGH] Apple emergency update fixes new zero-day used to hack iPhones
## Apple emergency update fixes new zero-day used to hack iPhones
## Sergiu Gatlan
While Apple said it addressed the security issue in iOS 17.0.3 and iPadOS 17.0.3 with improved checks, it has yet to reveal who found and reported the flaw.
The list of impacted devices is quite extensive, and it includes:
iPhone XS and later
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Apple also addressed a bug tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation.
While Apple
Bleepingcomputer
Apple emergency updates fix 3 new zero-days exploited in attacks
blogs_bleepingcomputer·2023-09-21·CVSS 8.8
[HIGH] Apple emergency updates fix 3 new zero-days exploited in attacks
## Apple emergency updates fix 3 new zero-days exploited in attacks
## Sergiu Gatlan
Apple fixed the three zero-day bugs in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by addressing a certificate validation issue and through improved checks.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the company revealed in security advisories describing the security flaws.
The list of impacted devices encompasses older and newer device models, and it includes:
iPhone 8 and later
iPad mini 5th generation and later
Macs running macOS Monterey and newer
Apple Watch Series 4 and later
All three zero-days were found and reported by Bill Marczak of the Citizen Lab at The University of Toronto'
Bleepingcomputer
Apple backports BLASTPASS zero-day fix to older iPhones
blogs_bleepingcomputer·2023-09-12·CVSS 8.8
[HIGH] Apple backports BLASTPASS zero-day fix to older iPhones
## Apple backports BLASTPASS zero-day fix to older iPhones
## Bill Toulas
When the phones received and processed the attachment, it installed NSO's Pegasus spyware, even on fully patched iOS (16.6) devices.
Apple released fixes for the two flaws with macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2, and CISA published an alert requiring federal agencies to patch by October 2, 2023.
The security updates have now been backported to iOS 15.7.9 and iPadOS 15.7.9 , macOS Monterey 12.6.9 , and macOS Big Sur 11.7.10 to prevent the use of this attack chain on those devices.
It's worth noting that support for iOS 15 ended a year ago, in September 2022, while the vendor still supports Monterey and Big Sur.
The security updates cover all iPhone 6s models, the iPhone 7, the fir
Bleepingcomputer
CISA warns govt agencies to secure iPhones against spyware attacks
blogs_bleepingcomputer·2023-09-11·CVSS 6.5
CVE-2023-41064 [MEDIUM] CISA warns govt agencies to secure iPhones against spyware attacks
## CISA warns govt agencies to secure iPhones against spyware attacks
## Sergiu Gatlan
"Apple is aware of a report that this issue may have been actively exploited," the company said when describing the two Image I/O and Wallet vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061 .
The list of impacted devices is quite extensive, as the bugs affect both older and newer models, and it includes:
iPhone 8 and later
iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Macs running macOS Ventura
Apple Watch Series 4 and later
Apple fixed the two zero-days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with memory handling and improved logic. Both allow attackers to gain arbitrary c
Bleepingcomputer
Apple zero-click iMessage exploit used to infect iPhones with spyware
blogs_bleepingcomputer·2023-09-07·CVSS 8.8
[HIGH] Apple zero-click iMessage exploit used to infect iPhones with spyware
## Apple zero-click iMessage exploit used to infect iPhones with spyware
## Sergiu Gatlan
"The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."
Citizen Lab also urged Apple customers to update their devices immediately and encouraged those at risk of targeted attacks due to their identity or profession to activate Lockdown Mode .
Apple and Citizen Lab security researchers discovered the two zero-days in the Image I/O and Wallet frameworks.
CVE-2023-41064 is a buffer overflow triggered when processing maliciously crafted images, while CVE-2023-41061 is a validation issue that can be exploited via malicious attachments.
Both allow threat actors to gain arbitrary code execution on unpatched iPhone and iPad devices.
Bleepingcomputer
Apple discloses 2 new zero-days exploited to attack iPhones, Macs
blogs_bleepingcomputer·2023-09-07·CVSS 6.5
CVE-2023-41064 [MEDIUM] Apple discloses 2 new zero-days exploited to attack iPhones, Macs
## Apple discloses 2 new zero-days exploited to attack iPhones, Macs
## Sergiu Gatlan
Citizen Lab also revealed today that the CVE-2023-41064 and CVE-2023-41061 bugs were actively abused as part of as part of a zero-click iMessage exploit chain named BLASTPASS that was used to deploy NSO Group's Pegasus mercenary spyware onto fully-patched iPhones (running iOS (16.6) via PassKit attachments containing malicious images.
CVE-2023-41064 is a buffer overflow weakness that gets triggered when processing maliciously crafted images, and it can lead to arbitrary code execution on unpatched devices.
CVE-2023-41061 is a validation issue that can be exploited using a malicious attachment to also gain arbitrary code execution on targeted devices.
Apple fixed the zero-days in macOS Ventura 13.5.2,
Talos
New video provides a behind-the-scenes look at Talos ransomware hunters
blogs_talos·2023-06-29
New video provides a behind-the-scenes look at Talos ransomware hunters
Welcome to this week’s edition of the Threat Source newsletter.
AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.
There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.
These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.
There are also dozens of apps t
Talos
New video provides a behind-the-scenes look at Talos ransomware hunters
blogs_talos·2023-06-29
New video provides a behind-the-scenes look at Talos ransomware hunters
## New video provides a behind-the-scenes look at Talos ransomware hunters
Welcome to this week’s edition of the Threat Source newsletter.
AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.
There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.
These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve w
Checkpoint
26th June – Threat Intelligence Report
blogs_checkpoint·2023-06-26
CVE-2023-32434 26th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th June – Threat Intelligence Report
Hawaii’s largest university, the University of Hawai’i, has disclosed that one of its campuses had suffered a ransomware attack. The impact of the attack had not been made public by the university, but ransomware gang NoEscape, which has assumed responsibility for the attack, claimed to have exfiltrated 65 GB of sensitive data from the university’s network.
Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.NoEscape)
Af
http://seclists.org/fulldisclosure/2023/Oct/20https://support.apple.com/en-us/HT213808https://support.apple.com/en-us/HT213809https://support.apple.com/en-us/HT213810https://support.apple.com/en-us/HT213811https://support.apple.com/en-us/HT213812https://support.apple.com/en-us/HT213813https://support.apple.com/en-us/HT213814https://support.apple.com/kb/HT213990http://seclists.org/fulldisclosure/2023/Oct/20https://support.apple.com/en-us/HT213808https://support.apple.com/en-us/HT213809https://support.apple.com/en-us/HT213810https://support.apple.com/en-us/HT213811https://support.apple.com/en-us/HT213812https://support.apple.com/en-us/HT213813https://support.apple.com/en-us/HT213814https://support.apple.com/kb/HT213990https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32434
2023-06-23
Published
2023-06-23
Added to CISA KEV
Exploited in the wild