cbcvebase.
CVE-2023-41991
published 2023-09-21

CVE-2023-41991: A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass…

PriorityP180medium5.5CVSS 3.1
AVLACLPRNUIRSUCNIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-10-16
Exploited in the wild
EPSS
4.55%
90.4th percentile
A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Affected

12 ranges
VendorProductVersion rangeFixed in
appleios_16.7_and_ipados
appleios_17.0.1_and_ipados
appleios_and_ipados>= unspecified < 16.716.7
appleipados< 16.716.7
appleipados
appleiphone_os< 16.716.7
appleiphone_os
applemacos>= 13.0 < 13.613.6
applemacos>= unspecified < 13.613.6
applemacos_ventura
applewatchos
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

domainsec-flare[.]com
  • CVE-2023-41991 is the second stage in a three-vulnerability iOS exploit chain. Detection should consider the full chain: CVE-2023-41993 (Safari RCE) → CVE-2023-41991 (certificate validation bypass) → CVE-2023-41992 (XNU kernel LPE). Look for anomalous process spawning from Safari followed by privilege escalation indicators.
  • The exploit chain ran a small binary post-exploitation to decide whether to install the full Predator implant. Hunt for unexpected small binaries executing on iOS devices following browser activity.
  • ·The Predator implant payload itself was not captured by TAG, limiting full IOC coverage. Detection based solely on the known redirect domains may miss variants or updated infrastructure.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vulncheck5.5MEDIUM
cisa5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.