CVE-2023-41991

MEDIUM KEV

Apple Ipados < 16.7 - Improper Certificate Validation

Title source: rule

Description

A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Exploits (3)

nomisec WORKING POC 6 stars

by itsgiddd · poc

https://github.com/itsgiddd/CVE-2023-41991

View Code ZIP pw:eip

nomisec WORKING POC

by dmytrozykov · poc

https://github.com/dmytrozykov/appsign

View Code ZIP pw:eip

vulncheck_xdb WORKING POC

local

https://github.com/Zenyith/CVE-2023-41991

View Code ZIP pw:eip

References (5)

[Vendor Advisory] https://support.apple.com/en-us/HT213927

[Vendor Advisory] https://support.apple.com/en-us/HT213931

[Vendor Advisory] https://support.apple.com/kb/HT213927

[Vendor Advisory] https://support.apple.com/kb/HT213931

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41991

Scores

CVSS v3 5.5

EPSS 0.0322

EPSS Percentile 87.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CISA KEV 2023-09-25

VulnCheck KEV 2023-09-12

InTheWild.io 2023-09-12

ENISA EUVD EUVD-2023-46450

CWE

CWE-295

Status published

Products (5)

apple/ipados 17.0

apple/ipados < 16.7

apple/iphone_os 17.0

apple/iphone_os < 16.7

apple/macos 13.0 - 13.6

Published Sep 21, 2023

KEV Added Sep 25, 2023

Tracked Since Feb 18, 2026