Cyber Resilience

CVE-2023-37450

HighCISA KEVActive ExploitationEUVD Exploited

Published: 27 July 2023

Published
27 July 2023
Modified
23 October 2025
KEV Added
13 July 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37450 is a high-severity an unspecified weakness vulnerability in Apple Safari. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 22.3th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-37450 is a vulnerability in Apple's WebKit-based web content processing engine that was addressed through improved input validation checks. It affects multiple Apple platforms and is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, and watchOS 9.6. The flaw permits arbitrary code execution when a victim processes malicious web content, carrying a CVSS 3.1 base score of 8.8.

An unauthenticated remote attacker can exploit the issue by serving specially crafted web content that the target renders in Safari or any WebKit-based application. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the affected process, potentially leading to full device compromise. The attack requires the victim to visit a malicious site or view attacker-controlled content, consistent with the network-attack vector and user-interaction requirement in the CVSS scoring.

Apple security advisories HT213826, HT213841, HT213843, and HT213846 recommend immediate installation of the listed updates. The vendor states it is aware of reports indicating the vulnerability has been actively exploited in the wild. The current EPSS score remains low at 0.0007 with no material upward trajectory reported.

EU & UK References

Vulnerability details

The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, watchOS 9.6. Processing web content may lead to arbitrary code execution. Apple is aware of a…

more

report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
13 July 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.5.2
apple
ipados
≤ 16.6
apple
iphone os
≤ 16.6
apple
macos
13.0 — 13.5
apple
tvos
≤ 16.6
apple
watchos
≤ 9.6
webkitgtk
webkitgtk\+
≤ 2.42.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the web-content parsing flaw before exploitation occurs.

prevent

Mandates input validation on untrusted web content, matching the vendor's fix of improved checks that block the arbitrary-code path.

preventdetect

Requires malicious-code detection and blocking mechanisms that can intercept or alert on the code-execution payload delivered via crafted web content.

References