Cyber Resilience

CVE-2023-41991

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 21 September 2023

Published
21 September 2023
Modified
05 November 2025
KEV Added
25 September 2023
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0390 88.5th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41991 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Apple Ipados. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

A certificate validation issue tracked as CVE-2023-41991 affects Apple platforms running versions of macOS Ventura prior to 13.6 as well as iOS and iPadOS prior to 16.7. The flaw, assigned CWE-295, permits bypass of signature validation checks and carries a CVSS 3.1 score of 5.5 reflecting local access, low attack complexity, and no required privileges.

A malicious application can exploit the weakness when a user interacts with it, allowing the app to circumvent signature validation and achieve unauthorized integrity impact on the affected system. Apple has stated that the vulnerability may have been actively exploited in the wild against iOS versions before 16.7.

Apple security advisories direct users to install the updates released in macOS Ventura 13.6, iOS 16.7, and iPadOS 16.7, which contain the fix for the certificate validation logic. The referenced support documents (HT213927 and HT213931) list the patched builds and installation guidance.

EU & UK References

Vulnerability details

A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have…

more

been actively exploited against versions of iOS before iOS 16.7.

CWE(s)
KEV Date Added
25 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
17.0 · ≤ 16.7
apple
iphone os
17.0 · ≤ 16.7
apple
macos
13.0 — 13.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires verification of digital signatures on software components, which the CVE's certificate-validation bypass circumvents.

prevent

Mandates integrity verification of software and firmware using cryptographic signatures, directly blocking the signature-bypass attack described in CVE-2023-41991.

prevent

Establishes proper issuance and validation rules for PKI certificates used in code signing, reducing the chance of flawed certificate handling that the CVE exploits.

References