Arbitrary Code Execution Vulnerability in Apple Devices
CVE-2019-8900

Currently unrated

Key Information:

Vendor: Apple
Status: Securerom
Vendor: CVE Published:; 21 February 2025

Summary

A vulnerability in the SecureROM of various Apple devices allows unauthenticated local attackers to execute arbitrary code during the boot process. This exploitation requires physical access to the device, specifically by connecting it to a computer and placing it into Device Firmware Update (DFU) mode. The exploit is transient, as rebooting the device resets any changes made during the exploited session. Additionally, without knowledge of the device's unlock PIN or fingerprint, access to sensitive information protected by Apple's Secure Enclave or Touch ID features remains secure.

Affected Version(s)

SecureROM A5

References

https://www.kb.cert.org/vuls/id/941987

Timeline

Vulnerability published
Feb 21, 2025
Vulnerability Reserved
Feb 18, 2019