Cyber Resilience

CVE-2019-6223

HighCISA KEVActive ExploitationEUVD Exploited

Published: 05 March 2019

Published
05 March 2019
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0035 57.9th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-6223 is a high-severity an unspecified weakness vulnerability in Apple Iphone Os. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 42.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-15 (Collaborative Computing Devices and Applications).

Deeper analysis

A logic issue in the handling of Group FaceTime calls, caused by inadequate state management, affected Apple iOS and macOS devices prior to the listed updates. The vulnerability resided in the FaceTime component and carried a CVSS 3.1 base score of 7.5, reflecting network-accessible exploitation with no required privileges or user interaction and a high impact on confidentiality.

An unauthenticated remote attacker acting as the initiator of a Group FaceTime call could exploit the flaw to force the recipient’s device to answer automatically, thereby gaining unauthorized audio or video access without the recipient’s knowledge or consent.

Apple addressed the issue through improved state management in iOS 12.1.4 and the macOS Mojave 10.14.3 Supplemental Update, as documented in security advisories HT209520 and HT209521. The vulnerability is also catalogued by CISA as one known to have been exploited in the wild.

EU & UK References

Vulnerability details

A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. The initiator of a Group FaceTime call may be…

more

able to cause the recipient to answer.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 12.1.4
apple
mac os x
≤ 10.14.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authorization decisions so that a Group FaceTime call cannot be answered without explicit recipient consent.

prevent

Requires collaborative computing applications such as FaceTime to provide explicit user indication and control before audio/video access is granted.

prevent

Mandates timely remediation of the logic flaw in FaceTime state management that permitted unauthorized call answering.

References