cbcvebase.
CVE-2023-32434
published 2023-06-23

CVE-2023-32434: An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 9.5.2, macOS Big Sur 11.7.8, iOS 15.7.7 and iPadOS 15.7.7…

PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-07-14
Exploited in the wild
EPSS
51.52%
98.8th percentile
An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 9.5.2, macOS Big Sur 11.7.8, iOS 15.7.7 and iPadOS 15.7.7, macOS Monterey 12.6.7, watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

Affected

24 ranges
VendorProductVersion rangeFixed in
appleios_15.7.7_and_ipados
appleios_15.8_and_ipados
appleios_16.5.1_and_ipados
appleios_and_ipados>= unspecified < 15.715.7
appleios_and_ipados>= unspecified < 16.516.5
appleipados< 15.7.715.7.7
appleipados>= 16.0 < 16.5.116.5.1
appleiphone_os< 15.7.715.7.7
appleiphone_os>= 16.0 < 16.5.116.5.1
applemacos>= 11.0 < 11.7.811.7.8
applemacos>= 12.0.0 < 12.6.712.6.7
applemacos>= 13.0 < 13.4.113.4.1
applemacos>= unspecified < 12.612.6
applemacos>= unspecified < 13.413.4
applemacos>= unspecified < 11.711.7
applemacos_big_sur
applemacos_monterey
applemacos_ventura
applewatchos< 8.8.18.8.1
applewatchos
applewatchos
applewatchos>= 9.0 < 9.5.29.5.2
applewatchos>= unspecified < 8.88.8
applewatchos>= unspecified < 9.59.5

Detection & IOCsextracted from sources · hover to see the quote

domainbackuprabbit[.]com
path\system_logs.logarchive\Extra\shutdown.log
otherMMIO address 0x206040000
otherMMIO address 0x206140000
otherMMIO address 0x206150000
otherMMIO address 0x206140008
otherMMIO address 0x206140108
otherMMIO address 0x206150020
otherMMIO address 0x206150040
otherMMIO address 0x206150048
  • Check iOS device backups for modification of empty SMS attachment directories followed immediately by BackupAgent network activity — this pattern indicates malicious attachment delivery and deletion.
  • Analyze the shutdown.log file inside the sysdiagnose archive (located at \system_logs.logarchive\Extra) for infection artifacts — this is a lightweight, minimally intrusive method to detect iOS malware including Triangulation.
  • Post-exploitation, the IMAgent process is launched with an injected payload to clear exploitation artifacts — unexpected IMAgent execution or injection should be flagged.
  • The attack delivers a zero-click iMessage attachment exploiting CVE-2023-41990 (ADJUST TrueType font instruction RCE) — monitor for anomalous iMessage attachment processing with no user interaction.
  • ·All C2 communications occurred over HTTPS, preventing plaintext traffic inspection — network-level detection is limited to domain/IP reputation without SSL inspection.
  • ·iOS SSL pinning for Apple services (including iMessage) prevents MITM interception even with a trusted root certificate installed, limiting traffic-based detection of the initial exploit delivery.
  • ·The JS validator implements its own NaCl public-key encryption layer on top of HTTPS for C2 communications, meaning even with SSL inspection the payload content remains encrypted without the ephemeral private key.
  • ·The exploit actively clears artifacts post-exploitation via IMAgent injection, reducing forensic evidence available in device backups or file system analysis.
  • ·Forensic acquisition tools based on checkra1n did not work for modern processors running iOS 15 and 16 at the time of research, limiting full device imaging for newer devices.
  • ·The unknown MMIO hardware registers exploited via CVE-2023-38606 are not listed in the Apple DeviceTree, making firmware-level detection of their abuse difficult without specialized hardware analysis.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.