CVE-2024-44258

HIGH EXPLOITED

iPadOS < 17.7.1 - Arbitrary File Write via Symlink Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-44258 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including ifpdz, missaels235, fuzzlove.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-44258, a symlink vulnerability in Apple's ManagedConfiguration framework and profiled daemon. It includes a patch explanation, steps to reproduce, and a proof-of-concept code snippet demonstrating the exploit.

Description

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1, tvOS 18.1, visionOS 2.1. Restoring a maliciously crafted backup file may lead to modification of protected system files.

Exploits (3)

nomisec WRITEUP 89 stars
by ifpdz · client-side
https://github.com/ifpdz/CVE-2024-44258

This repository provides a detailed technical analysis of CVE-2024-44258, a symlink vulnerability in Apple's ManagedConfiguration framework and profiled daemon. It includes a patch explanation, steps to reproduce, and a proof-of-concept code snippet demonstrating the exploit.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Apple ManagedConfiguration framework and profiled daemon (iOS)
No auth needed
Prerequisites: Access to craft a backup file · Ability to restore the backup to an iOS device
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by missaels235 · local
https://github.com/missaels235/POC-CVE-2024-44258-Py

This repository contains a conceptual proof-of-concept (PoC) for CVE-2024-44258, a symlink vulnerability in iOS backup restoration. The PoC demonstrates the structure and steps required to exploit the vulnerability but does not implement the full exploit, particularly the manipulation of the Manifest.mbdb file.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: iOS (versions prior to 17.7.1, 18.1, iPadOS 17.7.1, iPadOS 18.1, visionOS 2.1, tvOS 18.1)
No auth needed
Prerequisites: Python 3.7+ · libimobiledevice · iOS device with vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by fuzzlove · local
https://github.com/fuzzlove/SparstanBoogie-CVE-2024-44258

This repository contains a functional exploit for CVE-2024-44258, which leverages improper symlink handling in iOS/iPadOS backup restoration to modify protected system files. The exploit targets iOS/iPadOS versions 15.2 to 17.0 and includes Python scripts to craft malicious backup files.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: iOS/iPadOS 15.2 - 17.0
No auth needed
Prerequisites: Access to a vulnerable iOS/iPadOS device · Ability to restore a crafted backup file
devstral-2 · analyzed May 13, 2026 Full analysis →

References (8)

Core 8

Scores

CVSS v3 7.1
EPSS 0.0075
EPSS Percentile 50.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2024-11-02
CWE
CWE-59
Status published
Products (8)
Apple/iOS and iPadOS < 17.7.1
Apple/iOS and iPadOS < 18.1
apple/ipados < 17.7.1
apple/iphone_os < 17.7.1
apple/tvos < 18.1
Apple/tvOS < 18.1
apple/visionos < 2.1
Apple/visionOS < 2.1
Published Oct 28, 2024
Tracked Since Feb 18, 2026