CVE-2023-32434 Exploited: PoC Unlocks Full Command of iOS Devices

Proof-of-concept (PoC) code has been released for a zero-day iOS vulnerability (CVE-2023-32434) that can be chained to take full control of a mobile device.

June 2023 marked a pivotal moment when Apple released iOS 16.5.1 and iPadOS 16.5.1, addressing two zero-day security vulnerabilities. The kernel (CVE-2023-32434) and WebKit (CVE-2023-32439) vulnerabilities presented a stark reality – the possibility for an application to execute arbitrary code with kernel privileges. This is not just a technical jargon but a glaring sign of how deep an attacker could infiltrate into the system’s core, commandeering full control of a device.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7,” the company says.

Apple’s acknowledgment of the potential active exploitation of these vulnerabilities in versions preceding iOS 15.7 underscores the gravity of the situation.

Demonstrating a mastery over the intricacies of these flaws, Poulin-Bélanger not only showcased how the CVE-2023-32434 flaw could be chained for code execution with kernel privileges but also bravely made the technical details public. This move serves a dual purpose – enlightening the tech community and nudging the responsible entities towards robust security measures.

“Reachable from the WebContent sandbox and might have been actively exploited,” the researcher wrote in his write-up.

The exploit, rigorously tested on various versions of iOS, including 16.3 to 16.5 on the iPhone 14 Pro Max, and macOS 13.1 and 13.4 on the MacBook Air M2 2022, highlights the widespread impact of this vulnerability. The release of a Proof-of-Concept (PoC) exploit for the CVE-2023-32434 flaw by the researcher is a testament to the severity of these findings, serving as a vivid illustration of the potential risks.