Ios 18.6.1 0-Click Rce Poc

Posted4 months agoActive4 months ago

akyuu

228 points

56 comments

github.comSecuritystoryHigh profile

informativeneutral

Debate

0/100

Ios SecurityRce ExploitCve-2025-43300

Key topics

Ios Security

Rce Exploit

Cve-2025-43300

The iOS 18.6.1 0-click Remote Code Execution (RCE) Proof of Concept (POC) has sparked a lively debate about its potential value on the zero-day exploit market. Commenters are weighing in on whether Zerodium, a notorious zero-day broker, would be interested, with some pointing out that the company may not be operational anymore, rendering its value "$0". Others are discussing the exploit's worth, citing a "$15M" price tag for a full-chain mobile iOS exploit, although some are skeptical about such high prices being actually paid. The AirDrop requirement for the exploit is also seen as a significant factor in decreasing its value.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

20m

Peak period

18-24h

Avg / period

6.2

Comment distribution56 data points

Loading chart...

Based on 56 loaded comments

Key moments

01Story posted
Aug 25, 2025 at 6:05 PM EDT
4 months ago
Step 01
02First comment
Aug 25, 2025 at 6:26 PM EDT
20m after posting
Step 02
03Peak activity
18 comments in 18-24h
Hottest window of the conversation
Step 03
04Latest activity
Aug 28, 2025 at 11:22 AM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (56 comments)

Showing 56 comments

Alifatisk

4 months ago

3 replies

I wonder how much this would be worth for Zerodium

gruez

4 months ago

2 replies

$0, given it's patched in ios 18.6.2

crossroadsguy

4 months ago

1 reply

Before that obviously. Possibly pc meant to ask if the “finder” would have gone to them instead of dealing with Apple directly.

tptacek

4 months ago

The AirDrop requirement probably decreases its value substantially, but I think all these kinds of questions are kind of tricky to reason about:

https://news.ycombinator.com/item?id=43025038

This might be a weird corner case where Apple would outbid the grey market, but generally even though Apple comes in lower than the grey market (for these very specific kinds of vulnerabilities), the term sheets are different, and the rest of the terms tend to favor going with Apple.

rafram

4 months ago

1 reply

And given that Zerodium has shut down.

anon6362

4 months ago

Its website still works and there's a gpg key, so it's a "shutdown" rather than shutdown.

kingforaday

4 months ago

1 reply

I know the thread is saying $0 because Zerodium doesn't exist anymore, but there are others. This [0] one for a full chain mobile iOS is at $15M. I agree with tptacek though, the airdrop would reduce the value but you may still be in the low 7 figure range for 0 click RCE.

0. https://advance-sec.com/#bounty

tptacek

4 months ago

I don't think this is real. "Full chain Linux desktop" for $10MM? Uh huh.

We recorded a podcast with Mark Dowd a year ago where he said nobody actually gets "list prices" for iOS full chain at $2.5MM (you can make considerably more than that by selling to multiple parties and by selling maintenance) --- and that's iOS, the highest-valued vulnerabilities.

tptacek

4 months ago

$0, since I don't think Zerodium still exists.

MajesticHobo2

4 months ago

2 replies

I AirDropped the PoC to my vulnerable iPhone. It didn't cause a crash until I tried to edit it in the Photos app.

byearthithatius

4 months ago

1 reply

I downloaded the image he provided (https://www.dpreview.com/sample-galleries/4949897610/pentax-...)

The DNG file did have the 01 byte at `2FD00` (from xxd or hexdump -C). However it didn't have a byte position `3E40B`. I tried searching and there is literally no entry at that position. I found a 02 value at 3e40 but not at 3e40b. Is this a typo?

Where did you find it to try and repro?

MajesticHobo2

4 months ago

1 reply

You need to click the link that says "RAW (33.0MB)". The filename should be "IMGP0847.DNG".

byearthithatius

4 months ago

1 reply

Thanks immensely. Very important detail,

Did you find a 02 at 3E40B? I found 01 at 2FD00, but there was no 3E40B byte position entry.

I did find something similar at 00003e40: 00003e40 02 00 04 00 0a 00 00 00 30 01 00 00 00 00 00 00 |........0.......|

MajesticHobo2

4 months ago

1 reply

Yes:

  dd status=none if=IMGP0847.DNG bs=1 skip=0x3e40b count=1 | xxd
  00000000: 02

byearthithatius

4 months ago

1 reply

Thanks! You are correct, when I did a dump with `xxd IMGP0847.DNG > output.hex` it wasn't showing up for some reason.... But your command worked (though my dd doesn't like hex values so I needed to get decimal via printf "%d\n" 0x3E40B).

Curious if you (clearly smarter than me) know why it didn't show correctly in the xxd or hexdump for the file. Would love to learn.

MajesticHobo2

4 months ago

1 reply

  xxd IMGP0847.DNG | grep 03e400:
  0003e400: ffd8 ffc3 000e 0e10 800c 5002 0011 0001  ..........P.....

Look at the byte at offset 11 (0xb), it's there.

byearthithatius

4 months ago

Ohhh the b offset (11) is an offset _on that line_ (0003e400)! I got it now:D This thread taught me a great deal. Thank you, MajesticHobo2!

VladVladikoff

4 months ago

Maybe you need to iMessage it to someone else? Just guessing.

bri3d

4 months ago

1 reply

Where's the 0-click or the RCE here?

I'm actually really curious about how the ITW exploit for this CVE worked; the OOB write is quite obvious in hindsight but going from OOB write to execution on iOS is very much not easy these days, and going from OOB write to sandbox escape should be extremely hard, especially since I thought (?) all image previews in iMessage should be behind BlastDoor. There's a lot of interesting stuff that's still missing here.

gruez

4 months ago

1 reply

>Where's the 0-click or the RCE here?

See my other comment. There's an exploit in the wild that uses this bug to get RCE, but this specific example just causes a crash.

bri3d

4 months ago

Yes, that's what I'm referring to with

> I'm actually really curious about how the ITW exploit for this CVE worked

It's really weird to see only a single OOB write patched for a full 0-click chain in the wild - how did they get code execution? PAC+ASLR bypass? Sandbox escape/kernel escalation?

Literally only RawCamera is patched in the update - were the other bugs in the chain already patched? Too difficult to patch immediately? (ie - close the front door while working on replacing the other locks?)? Still unknown? (ie - found a crash dump from RawCamera but didn't get as sample of the full chain?)

rvz

4 months ago

1 reply

Does this affect any of the iOS, iPadOS macOS, tvOS, watchOS 26 Beta?

Reason077

4 months ago

Apple patched it on August 20, so presumably any release from after this date is not vulnerable.

transpute

4 months ago

3 replies

For iOS defense, enable Lockdown Mode and reboot daily to evict non-persistent malware, https://www.youtube.com/watch?v=fAhTPMmvrB0

> For me, there is only lockdown mode. That is the Apple Experience.

iOS backups can be scanned for the presence of this CVE-2025-43300 DNG processing vulnerability, via OSS tool for iOS forensics, https://github.com/msuiche/elegant-bouncer | https://www.msuiche.com/posts/elegantbouncer-when-you-cant-g...

  ELEGANTBOUNCER is a detection tool for file-based mobile exploits. It employs an innovative approach for advanced file-based threat identification, eliminating the need for in-the-wild samples and outperforming traditional methods based on regular expressions or IOCs. At present, it primarily targets the identification of mobile vulnerabilities such as FORCEDENTRY (CVE-2021-30860), BLASTPASS (CVE-2023-4863, CVE-2023-41064), and TRIANGULATION (CVE-2023-41990) [and recently added CVE-2025-43300].

https://x.com/darknavyorg/status/1959271176062251333

> While reproducing the iOS ITW CVE-2025-43300 (support.apple.com/en-us/124925), we accidentally triggered another old DNG image parsing vulnerability. The analysis is still ongoing.

notepad0x90

4 months ago

1 reply

I would think mvt and related ioc repos would support these newer indicators,but sadly I'm not seeing that:

https://docs.mvt.re/en/latest/iocs/

transpute

4 months ago

1 reply

It's a different approach:

  Traditional detection approaches like YARA rules, IOC matching, and signature-based systems fall apart when:

   • You don’t have the actual malicious samples to create signatures from
   • The attackers use polymorphic techniques that change file hashes
   • The exploit leverages legitimate file format features in unexpected ways
   • You need to detect future variants of the same technique

  The Philosophy: Structure Over Signatures

  ELEGANTBOUNCER takes a fundamentally different approach to threat detection. Instead of looking for specific byte patterns or known-bad indicators, it analyzes the structural properties of files that make exploits possible.

notepad0x90

4 months ago

I'm just thinking, I'd always prefer to run one tool to verify if a phone has been compromised. If mvt used ELEGANTBOUNCER as a plugin/extension/backend that'd be superb. But, not a big deal, I'm glad I found about this tool, thank you.

I am interested in finding out more on why Yara can't be used to find structural patterns? it is supposed to do a lot more than simple string and byte-pattern matching. Maybe ELEGANTBOUNCER requires keeping/maintaining a complex state machine to evaluate/analyze content?

ThePowerOfFuet

4 months ago

>For iOS defense, enable Lockdown Mode and reboot daily to evict non-persistent malware

For non-iOS defense, run GrapheneOS with all the default safeguards enabled.

saagarjha

4 months ago

Assuming someone hasn't removed it from the filesystem

makestuff

4 months ago

3 replies

How do people even find these types of bugs? Is it just years and years experience allowing you to know where to look?

transpute

4 months ago

Fuzzing is one approach.

"Fuzzing ImageIO" (2020), https://googleprojectzero.blogspot.com/2020/04/fuzzing-image...

> This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a new(er) context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing code were found, reported to Apple or the respective open source image library maintainers, and subsequently fixed. During this research, a lightweight and low-overhead guided fuzzing approach for closed source binaries was implemented and is released alongside this blogpost.

"ImageIO, the infamous iOS Zero Click Attack Vector" (2024), https://r00tkitsmm.github.io/fuzzing/2024/03/29/iOSImageIO.h...

> I used LLDB to examine the testHeader functions, it turned out there are three new testHeader functions for different file formats, such as KTX2 and WebP and ETC, so because they were fairly new I thought maybe they have not been fuzzed by Project Zero... I ported Project Zero’s harness to Jackalope fuzzer.. My fuzzing effort found several vulnerabilities [fixed by Apple]..

tomasphan

4 months ago

Experience /n Fuzzing (when you try a bunch of stuff automatically) /n Reverse engineering the code (using tools like ghidra or hopper)

NoPicklez

4 months ago

Lots of experience in what are common exploit tactics are and where to look and test if things will break.

Identifying an exploit in iOS requires a significant amount of knowledge in how the OS works, what existing exploits are and how you could chain them together to create a larger exploit.

I've have very limited experience, but reading about how some people identify and exploit these things is extremely impressive.

fmajid

4 months ago

2 replies

It's 2025, and Apple clearly still hasn't incorporated fuzzers in their CI and QA. Perhaps I am giving them too much credit in assuming they have any QA in the first place.

tptacek

4 months ago

1 reply

I have no idea what you're talking about; Apple has one of the largest and most sophisticated software security practices on the planet.

pjmlp

4 months ago

They do, but unfortunately it is built on top of a shacky foundation.

transpute

4 months ago

ImageIO has been fuzzed by Google and others, https://news.ycombinator.com/item?id=45034650

user214412412

4 months ago

6 replies

is it me or does ios have a myriad of cves in in the image processing/decoder stack? You'd think they'd sandbox in some kind of memory safe framework/lang by now?

muricula

4 months ago

1 reply

Look up iMessage's "blastdoor" sandbox: https://support.apple.com/guide/security/blastdoor-for-messa...

kaladin-jasnah

4 months ago

FORCEDENTRY bypassed this sandbox IIRC. That was a bug in the JBIG2 decoder.

ladyanita22

4 months ago

1 reply

For some reason, Apple seems reluctant about using Rust on their operating systems.

steve1977

4 months ago

That reason is probably called Swift. But they obviously still have many many system libraries written in Objective-C, plain C or C++.

I don't see them using Rust when they have their own language under their full control, especially since both are targeting LLVM anyway.

GoblinSlayer

4 months ago

1 reply

Also image formats are fairly stable, so they are a good candidate for a verified F* parser. Not sure how easy it is for pdf, maybe start with a reasonable subset of it.

mschuster91

4 months ago

2 replies

Good luck doing that for stuff like PDF which can include JavaScript in the PDF file itself, or SVG+PDF which both can include raw font files, another reliable source of exploits.

GoblinSlayer

4 months ago

PDF/A-1 and PDF/UA require unicode mapping, so embedded font files might be not as critical, you can just render unicode text, and javascript is routinely banned for being inaccessible.

Wowfunhappy

4 months ago

Do any PDF readers other than Adobe's support JS? Apple's certainly does not, unless something has changed recently.

Hilift

4 months ago

Apple should formalize the iMessage de facto DeviceAndAccountTakeover() API call. I lost count how many zero-click it has. Tim Apple can take the privacy high road all day but it doesn't matter if the code is rotten.

https://citizenlab.ca/2025/06/first-forensic-confirmation-of...

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...

https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage...

https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hac...

saagarjha

4 months ago

This isn't just an iOS thing, and they do sandbox it. Parsers are hard.

jimmyl02

4 months ago

unfortunately sandboxes also have bugs which allows for RCE. this is typically called a "full chain" because it chains together a series of bugs (initial decoder exploit + sandbox escape exploit) to gain full RCE

kirito1337

4 months ago

Dang that's so cool!

gruez

4 months ago

Note that even though the CVE is for a RCE (remote code execution)[1], this specific PoC is at most a DoS (denial of service). There's more work needed to bypass mitigations for it to be actually usable as a RCE.

[1] https://support.apple.com/en-us/124925

0x0

4 months ago

Surprised to see no patch available for watchOS, which can also receive images via iMessage. Not important enough to patch, or not vulnerable, or just not exploited in the wild yet?

biosboiii

4 months ago

Also crashes my MacOS Sequoia 15.3.1 Preview App :) https://gist.github.com/AltayAkkus/524acec2b16d4536af0fcee2f...

mkhalil

4 months ago

Seems like it was major enough that it was the lone patch[0] in all active Apple OS's:

macOS Ventura 13.7.8 | macOS Sonoma 14.7.8 | macOS Sequoia 15.6.1

iPadOS 17.7.10 | iPadOS 18.6.2 | iOS 18.6.2

Usually, its multiple CVE's in a security update.

Examples:

- https://support.apple.com/en-us/122375 (macOS Ventura 13.7.5)

- https://support.apple.com/en-us/122718 (macOS Ventura 13.7.6)