CVE-2024-44207
Published: 04 October 2024
Summary
CVE-2024-44207 is a medium-severity an unspecified weakness vulnerability in Apple Ipados. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-44207 is a vulnerability in the Messages application on Apple's mobile platforms, where an incoming audio message could capture several seconds of audio from the device microphone before the microphone indicator activates. The flaw was caused by inadequate validation checks and is fixed in iOS 18.0.1 and iPadOS 18.0.1. It carries a CVSS 4.3 score reflecting network attack vector, low complexity, and limited confidentiality impact.
An unauthenticated remote attacker can trigger the issue by sending a crafted audio message that the recipient opens or plays, resulting in brief unauthorized audio capture without immediate user notification. The attack requires user interaction and does not allow further system compromise or data modification.
Apple's security update for iOS 18.0.1 and iPadOS 18.0.1 resolves the problem through improved checks, as described in the vendor advisory at support.apple.com/en-us/121373. The corresponding disclosure appears on seclists.org.
The associated EPSS score remains low and essentially flat, indicating no significant post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40951
Vulnerability details
This issue was addressed with improved checks. This issue is fixed in iOS 18.0.1 and iPadOS 18.0.1. Audio messages in Messages may be able to capture a few seconds of audio before the microphone indicator is activated.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.