Cyber Resilience

CVE-2023-28204

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 23 June 2023

Published
23 June 2023
Modified
23 October 2025
KEV Added
22 May 2023
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0008 23.0th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28204 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Apple Ipados. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 23.0th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An out-of-bounds read vulnerability, tracked as CVE-2023-28204 and assigned CWE-125, affects Apple's web content processing components in Safari and multiple operating systems. The flaw was addressed through improved input validation and impacts watchOS before 9.5, tvOS before 16.5, macOS Ventura before 13.4, iOS and iPadOS before 15.7.6 or 16.5, and Safari before 16.5. With a CVSS 3.1 score of 6.5, the issue resides in network-accessible code that handles untrusted web content.

An unauthenticated remote attacker can trigger the vulnerability by causing a victim to process malicious web content, resulting in disclosure of sensitive information from the affected device. Exploitation requires user interaction such as visiting a crafted web page but needs no privileges on the target system.

Apple security advisories for the fixed releases (HT213757, HT213758, HT213761, and HT213762) recommend immediate installation of the listed updates. The vendor states it is aware of reports indicating the issue may have been actively exploited in the wild. The current EPSS score remains low at 0.0008 with no indicated rise after disclosure.

EU & UK References

Vulnerability details

An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information.…

more

Apple is aware of a report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
22 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.5
apple
ipados
≤ 15.7.6 · 16.0 — 16.5
apple
iphone os
≤ 15.7.6 · 16.0 — 16.5
apple
macos
13.0 — 13.4
apple
tvos
≤ 16.5
apple
watchos
≤ 9.5
webkitgtk
webkitgtk\+
≤ 2.42.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the root cause by enforcing improved input validation on untrusted web content before processing.

prevent

Requires timely application of vendor patches that remediate the out-of-bounds read in web-content components.

detect

Enables monitoring specifically for unauthorized information disclosure resulting from exploitation of the flaw.

References