cbcvebase.
CVE-2023-41992
published 2023-09-21

CVE-2023-41992: The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7, iOS 16.7 and iPadOS 16.7, macOS Ventura 13.6. A local attacker may be…

PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-10-16
Exploited in the wild
EPSS
2.92%
85.3th percentile
The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7, iOS 16.7 and iPadOS 16.7, macOS Ventura 13.6. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Affected

15 ranges
VendorProductVersion rangeFixed in
appleios_16.7_and_ipados
appleios_17.0.1_and_ipados
appleios_and_ipados>= unspecified < 16.716.7
appleipados< 16.716.7
appleipados
appleiphone_os< 16.716.7
appleiphone_os
applemacos>= 12.0 < 12.712.7
applemacos>= 13.0 < 13.613.6
applemacos>= unspecified < 12.712.7
applemacos>= unspecified < 13.613.6
applemacos_monterey
applemacos_ventura
applewatchos
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

domainsec-flare[.]com
  • CVE-2023-41992 is the Local Privilege Escalation (LPE) stage of a three-vulnerability iOS exploit chain (CVE-2023-41993 → CVE-2023-41991 → CVE-2023-41992); detections should consider the full chain context.
  • After LPE, a small binary is executed to decide whether to install the full Predator implant; look for unusual small binaries spawned with elevated privileges on iOS/macOS following a Safari process.
  • ·The full Predator implant payload was not captured by TAG; IOCs are limited to the delivery infrastructure and the exploit chain entry points.
  • ·Active exploitation was confirmed only against iOS versions prior to 16.7; patched versions (iOS 16.7, iOS 17.0.1, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 9.6.3, watchOS 10.0.1) are not known to be vulnerable.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.