cbcvebase.
CVE-2023-41990
published 2023-09-12

CVE-2023-41990: The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
1.15%
62.7th percentile
The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura 13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Affected

23 ranges
VendorProductVersion rangeFixed in
appleios_15.7.8_and_ipados
appleios_16.3_and_ipados
appleios_and_ipados>= unspecified < 16.316.3
appleios_and_ipados>= unspecified < 15.715.7
appleipados< 15.7.815.7.8
appleipados>= 16.0 < 16.316.3
appleiphone_os< 15.7.815.7.8
appleiphone_os>= 16.0 < 16.316.3
applemacos< 11.7.911.7.9
applemacos>= 12.0.0 < 12.6.812.6.8
applemacos>= 13.0 < 13.213.2
applemacos>= unspecified < 11.711.7
applemacos>= unspecified < 13.213.2
applemacos>= unspecified < 12.612.6
applemacos_big_sur
applemacos_monterey
applemacos_ventura
appletvos< 16.316.3
appletvos
appletvos>= unspecified < 16.316.3
applewatchos< 9.39.3
applewatchos
applewatchos>= unspecified < 9.39.3

Detection & IOCsextracted from sources · hover to see the quote

domainbackuprabbit[.]com
domaincloudsponcer[.]com
domainsnoweeanalytics[.]com
domaintopographyupdates[.]com
domainunlimitedteacup[.]com
domainvirtuallaughing[.]com
  • CVE-2023-41990 exploits an undocumented Apple-only ADJUST TrueType font instruction delivered as a malicious iMessage attachment; look for FontParser processing anomalies triggered with no user interaction (0-click).
  • Look for modification of empty SMS attachment directories (Library/SMS/Attachments) immediately followed by BackupAgent network activity — this pattern indicates a malicious iMessage attachment was received and then deleted by the attacker.
  • The exploit chain uses NSExpression/NSPredicate query language for multi-stage privilege escalation after initial font RCE; monitor for unusual NSPredicate/NSExpression evaluation in sandboxed contexts.
  • Post-exploitation, the attacker launches IMAgent with an injected payload to clear exploitation artifacts, then spawns an invisible Safari process to load the next stage; monitor for IMAgent spawning unexpected child processes or Safari running in headless/invisible mode.
  • C2 communications from the JavaScript validator use NaCl public-key cryptography (nacl.box) with a randomly generated ephemeral key pair; network traffic to C2 servers will appear as opaque encrypted HTTPS blobs even after TLS interception.
  • ·The exploit targets Apple A12–A16 Bionic SoCs specifically; the MMIO register abuse (CVE-2023-38606) uses undocumented GPU coprocessor registers not present in the device tree, meaning firmware-level detection is not feasible via standard tooling.
  • ·The attack was designed to work on iOS versions up to iOS 16.2; devices running iOS 15.7.1 and later (before the full patch) may have partial mitigations, but the full chain was patched across tvOS 16.3, iOS 16.3/iPadOS 16.3, macOS Ventura 13.2, and related releases.
  • ·iOS implements SSL pinning for Apple services including iMessage, preventing MITM interception of the initial exploit delivery vector even with a trusted root certificate installed on the device.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.