Cyber Resilience

CVE-2023-32409

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 June 2023

Published
23 June 2023
Modified
12 January 2026
KEV Added
22 May 2023
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
EPSS Score 0.0030 53.6th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32409 is a high-severity an unspecified weakness vulnerability in Apple Ipados. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 46.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-32409 is a bounds-checking flaw in Apple's Web Content sandbox implementation. It affects watchOS prior to 9.5, tvOS prior to 16.5, macOS Ventura prior to 13.4, iOS and iPadOS prior to 15.7.8 and 16.5, and Safari prior to 16.5. The vulnerability was resolved by adding improved bounds checks in those releases.

A remote attacker can exploit the issue over the network with no privileges or user interaction required. Successful exploitation allows escape from the Web Content sandbox, resulting in high-integrity impact on the host system as reflected by the CVSS 8.6 rating with changed scope.

Apple security advisories for the listed updates state that installing the patched versions of watchOS, tvOS, macOS, iOS, iPadOS, and Safari eliminates the vulnerability.

Apple has stated that it is aware of reports indicating the flaw may have been actively exploited in the wild. The associated EPSS score rose materially from a low baseline to a peak of 0.0214 on 2024-06-18 before receding to its current value of 0.0030.

EU & UK References

Vulnerability details

The issue was addressed with improved bounds checks. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.8 and iPadOS 15.7.8, Safari 16.5, iOS 16.5 and iPadOS 16.5. A remote attacker may be able to break…

more

out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
22 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.5
apple
ipados
15.0 — 15.7.8 · 16.0 — 16.5
apple
iphone os
15.0 — 15.7.8 · 16.0 — 16.5
apple
macos
13.0 — 13.4
apple
tvos
≤ 16.5
apple
watchos
≤ 9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that add the missing bounds checks, eliminating the sandbox-escape flaw.

prevent

Mandates memory-protection mechanisms that enforce bounds checking and thereby block the exact flaw exploited to escape the Web Content sandbox.

prevent

Requires process isolation boundaries whose failure (via the bounds-check defect) is what enables the remote sandbox escape.

References