Cyber Resilience

CVE-2023-23529

HighCISA KEVActive ExploitationEUVD Exploited

Published: 27 February 2023

Published
27 February 2023
Modified
23 October 2025
KEV Added
14 February 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0009 26.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-23529 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 26.0th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A type confusion vulnerability addressed through improved input validation checks affects multiple Apple platforms, specifically iOS 15.7.4 and iPadOS 15.7.4, iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3. The flaw resides in the handling of web content and carries a CVSS 3.1 base score of 8.8, corresponding to CWE-843.

An attacker can exploit the issue by serving maliciously crafted web content to a victim who visits the page in a vulnerable browser or application. Successful exploitation grants arbitrary code execution in the context of the affected process, with no authentication or special privileges required beyond the user loading the page.

Apple security advisories for the listed updates state that the fixes are delivered through standard software updates for iOS, iPadOS, macOS, and Safari, and they explicitly note that the company is aware of reports indicating the vulnerability has been actively exploited in the wild.

The EPSS score rose sharply from a low baseline to a peak of 0.0155 on the day after disclosure before receding, indicating a brief but measurable increase in observed exploitation interest following public release of the CVE.

EU & UK References

Vulnerability details

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 15.7.4 and iPadOS 15.7.4, iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution.…

more

Apple is aware of a report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
14 February 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.3
apple
ipados
≤ 15.7.4 · 16.0 — 16.3.1
apple
iphone os
≤ 15.7.4 · 16.0 — 16.3.1
apple
macos
13.0 — 13.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements the improved input validation checks that Apple used to eliminate the type-confusion flaw when processing untrusted web content.

prevent

Requires timely application of the vendor patches (iOS 15.7.4/16.3.1, macOS 13.2.1, Safari 16.3) that remediate the actively exploited vulnerability.

preventdetect

Provides malicious-code inspection and blocking capabilities that can interdict crafted web content before it reaches the vulnerable WebKit parser.

References