CISA's urgent warning: iPhone spyware threat. Learn about CVE-2023-41064 and CVE-2023-41061. Protect your devices now.

Continue reading
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning, instructing federal agencies to address security vulnerabilities exploited in a zero-click iMessage exploit chain. This exploit chain has been used to compromise iPhones with NSO Group's Pegasus spyware. In this article, we'll delve into the technical details of this cybersecurity incident and its implications for CISOs, CSOs, security researchers, threat analysts, developers, and the broader community of security professionals.
Citizen Lab recently revealed that this exploit chain, named BLASTPASS, leveraged two vulnerabilities. It targeted fully patched iPhones belonging to a Washington, DC-based civil society organization using PassKit attachments containing malicious images. The two vulnerabilities in question are tracked as CVE-2023-41064 and CVE-2023-41061 and pertain to Image I/O and Wallet.
The impact of these vulnerabilities is substantial, as they affect various Apple devices, including:
Apple swiftly responded to these zero-days by releasing updates for macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. These updates address memory handling and improve logic to mitigate the risk of arbitrary code execution on unpatched devices.
CISA has categorized these security flaws as "frequent attack vectors for malicious cyber actors'' and identified them as "significant risks to the federal enterprise." Accordingly, U.S. Federal Civilian Executive Branch Agencies (FCEB) must patch all vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalog within a specific timeframe. This directive, BOD 22-01, was published in November 2022.
Following CISA's update, federal agencies must secure all vulnerable iOS, iPadOS, and macOS devices against CVE-2023-41064 and CVE-2023-41061 by October 2nd, 2023. This deadline underscores the urgency of the situation and emphasizes the critical need for timely action.
While the primary focus of BOD 22-01 is on U.S. federal agencies, CISA has also strongly advised private companies to prioritize patching these vulnerabilities as soon as possible. Cybersecurity professionals in private enterprises must heed this advice to safeguard their organizations.
This incident is part of an ongoing trend, as Apple has grappled with multiple zero-day vulnerabilities throughout the year 2023. Notably, they have addressed:
These recurring zero-day discoveries underscore the challenges in securing Apple's ecosystem and the continuous efforts required to stay ahead of malicious actors.
It's worth noting that in response to this threat, Apple has advised individuals susceptible to targeted attacks due to their identity or occupation to enable Lockdown Mode. This security measure further restricts device access, adding an extra layer of defense.
To provide deeper insights into the technical nuances of this incident, let's explore the vulnerabilities CVE-2023-41064 and CVE-2023-41061 in more detail:
Apple's mitigation measures in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 include improved memory handling and logic enhancements. These updates are designed to thwart the specific attack vectors associated with these vulnerabilities.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.