Threat actors actively exploiting the remote code execution vulnerability tagged CVE-2022-42827. On compromised iOS devices, an application may be able to execute arbitrary code with kernel privileges, according to Apple’s advisory.
There is no CVSS score assigned to this vulnerability.
The update fixes 19 more security flaws in addition to CVE-2022-42827, including two in the Kernel, three in Point-to-Point Protocol (PPP), two in WebKit, and one each in AppleMobileFileIntegrity, Core Bluetooth, IOKit, Sandbox, and more.
Which iOS Versions are Vulnerable?
iOS versions before 16.1 are vulnerable to mentioned vulnerabilities.
The security update is available for the following:
- iPhone 8 and later
- iPad Pro (all models)
- iPad Air 3rd generation and later
- iPad 5th generation and later
- iPad mini 5th generation and later
Since the beginning of the year, Apple has patched up eight actively exploited zero-day weaknesses and one publicly known zero-day vulnerability.
Apple has stated that it is aware of a report of active exploitation. The company has not published publishes an official proof-of-concept (PoC).
Apple has not recommended any workarounds. It is advised to update to the latest iOS version.