CVE-2017-2404
LOW EXPLOITED IN THE WILDiPhone OS < 10.3 - Unauthenticated Arbitrary Telephone Call via Quick Look PDF tel: URL
Title source: llmExploitation Summary
CVE-2017-2404 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Quick Look" component. It allows remote attackers to trigger telephone calls to arbitrary numbers via a tel: URL in a PDF document, as exploited in the wild in October 2016.
References (4)
Core 4
Core References
Press/Media Coverage, Third Party Advisory x_refsource_misc
https://www.engadget.com/2017/03/31/apple-fixes-ios-loophole-911-overload/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1038139
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97138
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207617
Scores
CVSS v3
3.3
EPSS
0.0142
EPSS Percentile
69.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2017-04-01
InTheWild.io
2019-10-03
CWE
CWE-601
Status
published
Products (1)
apple/iphone_os
< 10.2.1
Published
Apr 02, 2017
Tracked Since
Feb 18, 2026