CVE-2009-0961

Apple iPhone OS <2.2.1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-0961. PoCs published by Collin Mulliner.

AI-analyzed exploit summary This exploit leverages a security-bypass vulnerability in Apple iPhone's Safari browser to automatically place a call without user approval. It uses a JavaScript loop to generate a large SMS payload followed by a tel: URI to trigger the call.

Description

The Mail component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 dismisses the call approval dialog when another alert appears, which might allow remote attackers to force the iPhone to place a call without user approval by causing an application to trigger an alert.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Collin Mulliner · htmlremotehardware
https://www.exploit-db.com/exploits/33046

This exploit leverages a security-bypass vulnerability in Apple iPhone's Safari browser to automatically place a call without user approval. It uses a JavaScript loop to generate a large SMS payload followed by a tel: URI to trigger the call.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apple iPhone (prior to version 3.0)
No auth needed
Prerequisites: Victim must open the malicious HTML page in Safari on a vulnerable iPhone
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Collin Mulliner · htmlremotehardware
https://www.exploit-db.com/exploits/33045

This exploit demonstrates a security-bypass vulnerability in Apple iPhone's Safari browser, allowing automatic call placement without user approval by embedding a tel: URI in an iframe. The exploit leverages a meta refresh to redirect and a JavaScript timeout to trigger the call.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apple iPhone Safari (prior to iOS 3.0)
No auth needed
Prerequisites: Victim must visit the malicious webpage on a vulnerable iPhone
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Collin Mulliner · htmlremotehardware
https://www.exploit-db.com/exploits/33044

This exploit demonstrates a security-bypass vulnerability in Apple iPhone's Safari browser, allowing automatic call placement without user approval by embedding malicious 'tel:' and 'sms:' URIs in an HTML iframe. The PoC triggers multiple call dialogs to increase the likelihood of a successful attack.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Apple iPhone (prior to iOS 3.0)
No auth needed
Prerequisites: Victim must open the malicious HTML page in Safari on a vulnerable iPhone
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Patch, Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT3639
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1621
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/55238
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35414
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51210

Scores

EPSS 0.0638
EPSS Percentile 92.8%

Details

Status published
Products (19)
apple/iphone_os 1.0.0
apple/iphone_os 1.0.1
apple/iphone_os 1.0.2
apple/iphone_os 1.1.0
apple/iphone_os 1.1.1
apple/iphone_os 1.1.2
apple/iphone_os 1.1.3
apple/iphone_os 1.1.4
apple/iphone_os 1.1.5
apple/iphone_os 2.0
... and 9 more
Published Jun 19, 2009
Tracked Since Feb 18, 2026