Arbitrary Code Execution Vulnerability in Apple Devices
CVE-2019-8900

6.8MEDIUM

Key Information:

Vendor: Apple
Status: Securerom
Vendor: CVE Published:; 21 February 2025

What is CVE-2019-8900?

A vulnerability in the SecureROM of various Apple devices allows unauthenticated local attackers to execute arbitrary code during the boot process. This exploitation requires physical access to the device, specifically by connecting it to a computer and placing it into Device Firmware Update (DFU) mode. The exploit is transient, as rebooting the device resets any changes made during the exploited session. Additionally, without knowledge of the device's unlock PIN or fingerprint, access to sensitive information protected by Apple's Secure Enclave or Touch ID features remains secure.

Affected Version(s)

SecureROM A5

References

https://www.kb.cert.org/vuls/id/941987

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 21, 2025
Vulnerability Reserved
Feb 18, 2019

JSON