Home / Threat Intelligence bulletins / Apple remediates two zero-day vulnerabilities

Target Industry

Indiscriminate, opportunistic targeting.


Apple released security updates pertaining to two zero-day vulnerabilities affecting the iPhone, iPad and Mac product lines.

The first zero-day, tracked as CVE-2023-28206, relates to an IOSurfaceAccelerator out-of-bounds write flaw that could lead to corruption of data, a crash, or code execution. The second, tracked as CVE-2023-28205 is a WebKit vulnerability that allows data corruption or arbitrary code execution when reusing freed memory.

There have been reports of active exploitation of these vulnerabilities. However, at the time of writing, Apple is yet to verify these claims.


Successful exploitation of CVE-2023-28206 allows threat actors to use a maliciously crafted application to execute arbitrary code with kernel privileges on targeted systems. CVE-2023-28205 can be exploited by threat actors by misleading the target into loading malicious web pages under the control of the threat actor, which could lead to code execution on compromised systems.

Vulnerability Detection

Apple has released the required security updates for the affected product versions. As such, previous versions are vulnerable to potential exploit.

Affected Products

The extensive list of affected Apple products includes:

– iPhone 8 and above
– iPad Pro (all models)
– iPad Air 3rd generation and above
– iPad 5th generation and above
– iPad mini 5th generation and above
– Macs systems running macOS Ventura

Containment, Mitigations & Remediations

It is strongly recommended that users apply the following respective product updates as soon as possible:

iOS 16.4.1
iPadOS 16.4.1
macOS Ventura 13.3.1
Safari 16.4.1

To update the iPhone, navigate to “Settings” > “General” > “Software Update”. The device can also be updated automatically if the automatic updates option has been set.

To update Mac systems, navigate to the Apple menu icon in the corner of the screen > “System preferences” > “Software Update”.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Apple occupies a significant portion of the smart device and PC market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Apple products have become a prime target. Due to the fact that smart devices and PCs have become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within these systems in an attempt to extract the sensitive information contained therein.

Apple also addressed a WebKit zero-day (CVE-2023-23529 CVSSv3 Score: 8.8) in February 2022 which was exploited in attacks to trigger operating system crashes and to gain code execution on vulnerable Apple devices.

Threat Group

Although no attribution to specific threat actors or groups has been identified at the time of writing, it should be noted that two recent series of attacks involving exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy spyware, were disclosed at the end of March 2022.

Mitre Methodologies

Tactic: Execution:
TA0002 – Execution

TA0008 – Lateral Movement

Lateral Movement Technique:
T1210 – Exploitation of Remote Services

Further Information

Apple Security Advisory


Intelligence Terminology Yardstick