CVE-2020-9802

HIGH EXPLOITED

iCloud < 7.19 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-9802 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Billy-Ellis, khcujw.

AI-analyzed exploit summary This repository provides a high-level explanation and references for an iOS browser exploit targeting CVE-2020-9802, a JIT compiler bug in WebKit. It includes credits to prior research and a video explanation but lacks detailed technical analysis or functional exploit code.

Description

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing maliciously crafted web content may lead to arbitrary code execution.

Exploits (2)

nomisec WRITEUP 7 stars
by Billy-Ellis · client-side
https://github.com/Billy-Ellis/jitsploitation

This repository provides a high-level explanation and references for an iOS browser exploit targeting CVE-2020-9802, a JIT compiler bug in WebKit. It includes credits to prior research and a video explanation but lacks detailed technical analysis or functional exploit code.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: WebKit (macOS and iOS)
No auth needed
Prerequisites: Victim interaction (clicking a link) · WebKit-based browser on macOS/iOS
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by khcujw · client-side
https://github.com/khcujw/CVE-2020-9802

This repository contains a functional exploit for CVE-2020-9802, a WebKit JavaScriptCore vulnerability. The exploit leverages a compiler bug in integer range optimization to achieve arbitrary memory read/write, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WebKit JavaScriptCore (Safari 13.1, macOS 10.15.4, iOS 13.4)
No auth needed
Prerequisites: Victim must visit a malicious webpage · Specific WebKit version (Safari 13.1 or iOS 13.4)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211168
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211171
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211175
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211178
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211179
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211181
Broken Link, Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211177

Scores

CVSS v3 8.8
EPSS 0.0827
EPSS Percentile 94.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2024-05-06
Status published
Products (7)
apple/icloud < 7.19
apple/ipados < 13.5
apple/iphone_os < 13.5
apple/itunes < 12.10.7
apple/safari < 13.1.1
apple/tvos < 13.4.5
apple/watchos < 6.2.5
Published Jun 09, 2020
Tracked Since Feb 18, 2026