Skip to content(if available)orjump to list(if available)

iOS 18.6.1 0-click RCE POC

iOS 18.6.1 0-click RCE POC

13 comments

·August 25, 2025
Visit

mkhalil

Seems like it was major enough that it was the lone patch[0] in all active Apple OS's:

macOS Ventura 13.7.8 | macOS Sonoma 14.7.8 | macOS Sequoia 15.6.1

iPadOS 17.7.10 | iPadOS 18.6.2 | iOS 18.6.2

Usually, its multiple CVE's in a security update.

Examples:

- https://support.apple.com/en-us/122375 (macOS Ventura 13.7.5)

- https://support.apple.com/en-us/122718 (macOS Ventura 13.7.6)

- https://support.apple.com/en-us/124151 (macOS Ventura 13.7.7)

--------------------------- References/Sources ---------------------------

[0] https://support.apple.com/en-us/124925 -> https://support.apple.com/en-us/124929 | (124925 -> 124929)

https://support.apple.com/en-us/100100

https://nvd.nist.gov/vuln/detail/CVE-2025-43300#vulnConfigur...

bri3d

Where's the 0-click or the RCE here?

I'm actually really curious about how the ITW exploit for this CVE worked; the OOB write is quite obvious in hindsight but going from OOB write to execution on iOS is very much not easy these days, and going from OOB write to sandbox escape should be extremely hard, especially since I thought (?) all image previews in iMessage should be behind BlastDoor. There's a lot of interesting stuff that's still missing here.

gruez

>Where's the 0-click or the RCE here?

See my other comment. There's an exploit in the wild that uses this bug to get RCE, but this specific example just causes a crash.

bri3d

Yes, that's what I'm referring to with

> I'm actually really curious about how the ITW exploit for this CVE worked

It's really weird to see only a single OOB write patched for a full 0-click chain in the wild - how did they get code execution? PAC+ASLR bypass? Sandbox escape/kernel escalation?

Literally only RawCamera is patched in the update - were the other bugs in the chain already patched? Too difficult to patch immediately? (ie - close the front door while working on replacing the other locks?)? Still unknown? (ie - found a crash dump from RawCamera but didn't get as sample of the full chain?)

gruez

Note that even though the CVE is for a RCE (remote code execution)[1], this specific PoC is at most a DoS (denial of service). There's more work needed to bypass mitigations for it to be actually usable as a RCE.

[1] https://support.apple.com/en-us/124925

MajesticHobo2

I AirDropped the PoC to my vulnerable iPhone. It didn't cause a crash until I tried to edit it in the Photos app.

rvz

Does this affect any of the iOS, iPadOS macOS, tvOS, watchOS 26 Beta?

Alifatisk

I wonder how much this would be worth for Zerodium

gruez

$0, given it's patched in ios 18.6.2

crossroadsguy

Before that obviously. Possibly pc meant to ask if the “finder” would have gone to them instead of dealing with Apple directly.

rafram

And given that Zerodium has shut down.

null

[deleted]

kirito1337

Dang that's so cool!