Arbitrary Code Execution Vulnerability in iOS, macOS, and Other Products
CVE-2023-41990

7.8HIGH

Key Information:

Vendor: Apple
Status: iOS And iPad OS; TV OS; Mac OS; Watch OS
Vendor: CVE Published:; 12 September 2023

Badges

👾 Exploit Exists🦅 CISA Reported📰 News Worthy

What is CVE-2023-41990?

CVE-2023-41990 is an arbitrary code execution vulnerability that affects various Apple products, including iOS and macOS. The issue allows for remote code execution when processing a font file, making it a high-severity vulnerability with a CVSS score of 7.8. It has been actively exploited by unknown actors as part of Operation Triangulation spyware attacks, enabling them to gain control of the affected devices. Apple has released patches to address this vulnerability in its products, urging users to update their systems to secure their networks against active threats.

CISA has reported CVE-2023-41990

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-41990 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

iOS and iPadOS < 16.3

iOS and iPadOS < 15.7

macOS < 11.7

News Articles

The Hacker News

CVE-2023-41990

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe, D-Link, Joomla Under Attack

CISA adds six new flaws to its KEV catalog, highlighting urgent need for network security upgrades!

SC Magazine

CVE-2023-38606 CVE-2023-41990

iPhone 0-click spyware campaign 'Triangulation' detailed

Researchers say the high-profile Operation Triangulation campaign exploited a now-patched zero-day flaw in the phone’s hardware-based memory protection system.