Four Remotely Exploitable iOS Flaws

  • CERT Admin
  • Wed Aug 07 2019
  • Alerts

Systems Affected 

iOS versions below 12.5

Threat Level



An Attacker could target Apple iOS devices just by sending a maliciously-crafted message via iMessage (CVE-2019-8647, CVE-2019-8662, CVE-2019-8660, CVE-2019-8646).


  ✦  CVE-2019-8647 (RCE via iMessage) ‐ This is a use-after-free vulnerability that resides in the Core Data framework of iOS that can cause arbitrary code execution due to insecure deserialization when NSArray initWithCoder method is used.

  ✦  CVE-2019-8662 (RCE via iMessage) ‐ This flaw is also similar to the above use-after-free vulnerability and resides in the QuickLook component of iOS, which can also be triggered remotely via iMessage.

  ✦  CVE-2019-8660 (RCE via iMessage) ‐ This is a memory corruption issue resides in Core Data framework and Siri component, which if exploited successfully, could allow remote attackers to cause unexpected application termination or arbitrary code execution.

  ✦  CVE-2019-8646 (File Read via iMessage) ‐ This flaw, which also resides in the Siri and Core Data iOS components, could allow an attacker to read the content of files stored on iOS devices remotely without user interactions, as user mobile with no-sandbox.


  ✦  Execute arbitrary code
  ✦  Data modifications

Solution/ Workarounds

  ✦  Apply iOS 12.4 update




The information provided herein is on "as is" basis, without warranty of any kind.

Last updated: Wed Aug 07 2019