Cyber Resilience

CVE-2021-30761

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 September 2021

Published
08 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0051 66.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30761 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 33.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A memory corruption vulnerability, tracked as CVE-2021-30761 and assigned CWE-787, affects iOS versions prior to 12.5.4. The flaw stems from improper state management during the processing of web content and carries a CVSS 3.1 score of 8.8, reflecting network attack vectors with no required privileges and only user interaction.

An unauthenticated remote attacker can deliver maliciously crafted web content to a victim device; successful exploitation results in arbitrary code execution with full impact on confidentiality, integrity, and availability.

Apple's advisory HT212548 states that the issue is resolved in iOS 12.5.4 through improved state management. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog.

Apple has reported that the issue may have been actively exploited in the wild.

EU & UK References

Vulnerability details

A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 12.5.4. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been…

more

actively exploited..

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 12.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (iOS 12.5.4) that eliminates the memory-corruption flaw before exploitation.

prevent

Mandates memory-protection mechanisms that would have blocked the out-of-bounds write (CWE-787) during web-content processing.

SC-18 Mobile Code partial match
prevent

Restricts and validates mobile code (e.g., scripts in web content) that an attacker uses to trigger the vulnerability.

References