cbcvebase.
CVE-2023-41061
published 2023-09-07

CVE-2023-41061: A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may…

PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-10-02
Exploited in the wild
EPSS
3.15%
86.3th percentile
A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Affected

7 ranges
VendorProductVersion rangeFixed in
appleios_16.6.1_and_ipados
appleios_and_ipados>= unspecified < 16.616.6
appleipados< 16.6.116.6.1
appleiphone_os< 16.6.116.6.1
applewatchos< 9.6.29.6.2
applewatchos
applewatchos>= unspecified < 9.69.6

Detection & IOCsextracted from sources · hover to see the quote

otherPassKit attachments containing malicious images via iMessage
  • Hunt for inbound iMessage traffic delivering PassKit (.pkpass) attachments containing embedded images — this is the delivery vector for the BLASTPASS exploit chain targeting CVE-2023-41061 (Wallet) chained with CVE-2023-41064 (ImageIO).
  • CVE-2023-41061 is chained with CVE-2023-41064 (ImageIO buffer overflow); detections should correlate both vulnerabilities being triggered together as part of the same attack sequence.
  • Scope detection to Apple devices running iOS/iPadOS 16.6.1 and earlier, and watchOS 9.6.2 and earlier — these are the confirmed vulnerable versions for CVE-2023-41061.
  • ·CVE-2023-41061 affects the Wallet component specifically; the validation issue is in attachment processing, not a memory corruption bug — exploitation relies on the chained ImageIO overflow (CVE-2023-41064) to achieve full code execution.
  • ·Apple has confirmed active in-the-wild exploitation of this vulnerability; treat any unpatched device as compromised if it received unexpected PassKit/iMessage attachments from unknown senders.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.