Pierluigi Paganini March 05, 2024

Apple released emergency security updates to address two new iOS zero-day vulnerabilities actively exploited in the wild against iPhone users.

Apple released emergency security updates to address two iOS zero-day vulnerabilities, respectively tracked as CVE-2024-23225 and CVE-2024-23296, that were exploited in attacks against iPhone devices.

CVE-2024-23225 is a Kernel memory corruption flaw, the company addressed it with improved validation.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.” reads the advisory.

CVE-2024-23296 is a RTKit memory corruption flaw, the company addressed it with improved validation.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.” continues the advisory.

Apple confirmed both vulnerabilities are actively exploited.

“Apple is aware of a report that this issue may have been exploited,” states the company.

Impacted devices are iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

The IT giant addressed the two vulnerabilities with the release of iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.

iPhone vulnerabilities are usually exploited by commercial spyware vendors or nation-state actors, in many cases, the targets were dissidents and journalists.

Below is the list of zero-day addressed by Apple this year:

January 2024 – CVE-2024-23222: type confusion issue that resides in the WebKit

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)