cbcvebase.
CVE-2023-38606
published 2023-07-27

CVE-2023-38606: This issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6…

PriorityP182medium5.5CVSS 3.1
AVLACLPRNUIRSUCNIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-08-16
Exploited in the wild
EPSS
1.00%
58.5th percentile
This issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Affected

23 ranges
VendorProductVersion rangeFixed in
appleios_15.7.8_and_ipados
appleios_16.6_and_ipados
appleios_and_ipados>= unspecified < 16.616.6
appleios_and_ipados>= unspecified < 15.715.7
appleipados< 15.7.815.7.8
appleipados>= 16.0 < 16.616.6
appleiphone_os< 15.7.815.7.8
appleiphone_os>= 16.0 < 16.616.6
applemacos>= 11.0 < 11.7.911.7.9
applemacos>= 12.0.0 < 12.6.812.6.8
applemacos>= 13.0 < 13.513.5
applemacos>= unspecified < 13.513.5
applemacos>= unspecified < 11.711.7
applemacos>= unspecified < 12.612.6
applemacos_big_sur
applemacos_monterey
applemacos_ventura
appletvos< 16.616.6
appletvos
appletvos>= unspecified < 16.616.6
applewatchos< 9.69.6
applewatchos
applewatchos>= unspecified < 9.69.6

Detection & IOCsextracted from sources · hover to see the quote

domainbackuprabbit[.]com
domaincloudsponcer[.]com
domainsnoweeanalytics[.]com
domaintopographyupdates[.]com
domainunlimitedteacup[.]com
domainvirtuallaughing[.]com
otherMMIO address 0x206040000
otherMMIO address 0x206140000
otherMMIO address 0x206150000
otherMMIO addresses: 0x206040000, 0x206140008, 0x206140108, 0x206150020, 0x206150040, 0x206150048
commandGFX power manager base/command write: A16 base=0x23B700408 command=0x1F0023FF; A15 base=0x23B7003C8 command=0x1F0023FF; A14 base=0x23B7003D0 command=0x1F0023FF; A13 base=0x23B080390 command=0x1F0003FF; A12 base=0x23B080388 command=0x1F0003FF
path\system_logs.logarchive\Extra\shutdown.log
  • Look for modification of empty SMS attachment directories immediately prior to BackupAgent data usage activity — this pattern indicates a malicious attachment was received and then deleted.
  • Examine the shutdown.log file inside the sysdiagnose archive (system_logs.logarchive/Extra/) for infection traces; this lightweight artifact can reveal iOS malware indicators across multiple reboot events.
  • Monitor for HTTPS connections to the C2 domains backuprabbit[.]com, cloudsponcer[.]com, snoweeanalytics[.]com, topographyupdates[.]com, unlimitedteacup[.]com, and virtuallaughing[.]com from iOS devices, especially following iMessage attachment downloads.
  • ·CVE-2023-38606 exploits undocumented MMIO hardware registers not listed in the Apple DeviceTree; these registers are not used by any firmware, making firmware-level detection impossible without hardware-level monitoring.
  • ·All C2 communications occurred over HTTPS, preventing passive traffic inspection without SSL interception; iOS SSL pinning for Apple services (including iMessage) further blocks MITM interception.
  • ·The JS validator implements its own NaCl public-key encryption layer on top of HTTPS for C2 communications, making payload decryption infeasible without the ephemeral private key held only in device memory.
  • ·The malicious iMessage attachment is deleted from the device immediately after exploitation, leaving no file-based artifacts in backups or the filesystem.
  • ·Patch adoption for CVE-2023-38606 was critically low (36.92%) as of reporting, meaning over 63% of devices remained unpatched despite patch availability.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vulncheck5.5MEDIUM
cisa5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.