Security News > 2021 > September > Apple fixes iOS zero-day used to deploy NSO iPhone spyware
Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs.
The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS. CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.
While Apple did not release any further information on how the vulnerabilities were used in attacks, CVE-2021-30860 is believed to be one of the zero-days abused by the zero-click iMessage exploit named 'FORCEDENTRY.'.
Citizen Lab disclosed in August that the FORCEDENTRY exploit was used to bypass the iOS BlastDoor security feature to deploy the NSO Pegasus spyware on devices belonging to Bahraini activists.
It has been a very busy year for Apple with what seems like an unending streaming of zero-day vulnerabilities used in targeted attacks against iOS and Mac devices.
Project Zero also disclosed 11 zero-day vulnerabilities this year that were used in attacks targeting Windows, iOS , and Android devices.
News URL
Related news
- Apple backports zero-day patches to older iPhones and Macs (source)
- Apple fixes two zero-days exploited in targeted iPhone attacks (source)
- Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) (source)
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
- Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices (source)
- Apple Rolls Out iOS 18.4 With New Languages, Emojis & Apple Intelligence in the EU (source)
- Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks (source)
- Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks (source)
- Google: 97 zero-days exploited in 2024, over 50% in spyware attacks (source)
- Super spyware maker NSO must pay Meta $168M in WhatsApp court battle (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-24 | CVE-2021-30860 | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow was addressed with improved input validation. | 7.8 |
| 2021-08-24 | CVE-2021-30858 | Use After Free vulnerability in multiple products A use after free issue was addressed with improved memory management. | 8.8 |