Security News > 2020 > April > Zero-Day Vulnerabilities in iOS Mail App Exploited in Targeted Attacks

The Mail application in iOS is affected by two critical zero-day vulnerabilities that appear to have been exploited in targeted attacks since at least January 2018, cybersecurity automation company ZecOps reported on Wednesday.
The vulnerabilities, described as out-of-bounds write and heap overflow issues, affect the MobileMail application on iOS 12 and maild on iOS 13, and they can be exploited by sending specially crafted emails to the targeted user.
The attack does not require any user interaction on iOS 13; opening the Mail app in the background is enough to trigger the exploit.
On iOS 12, the targeted user needs to click on the malicious email to trigger the exploit - zero-click attacks are possible on iOS 12 if the attacker can control the mail server.
"Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities - in particular, the remote heap overflow - are widely exploited in the wild in targeted attacks by an advanced threat operator(s)," ZecOps said in a blog post.
News URL
Related news
- Apple fixes zero-day exploited in 'extremely sophisticated' attacks (source)
- Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) (source)
- Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update (source)
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Broadcom fixes three VMware zero-days exploited in attacks (source)
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack (source)