I know the thread is saying $0 because Zerodium doesn't exist anymore, but there are others. This [0] one for a full chain mobile iOS is at $15M. I agree with tptacek though, the airdrop would reduce the value but you may still be in the low 7 figure range for 0 click RCE.
I don't think this is real. "Full chain Linux desktop" for $10MM? Uh huh.
We recorded a podcast with Mark Dowd a year ago where he said nobody actually gets "list prices" for iOS full chain at $2.5MM (you can make considerably more than that by selling to multiple parties and by selling maintenance) --- and that's iOS, the highest-valued vulnerabilities.
The DNG file did have the 01 byte at `2FD00` (from xxd or hexdump -C). However it didn't have a byte position `3E40B`. I tried searching and there is literally no entry at that position. I found a 02 value at 3e40 but not at 3e40b. Is this a typo?
Note that even though the CVE is for a RCE (remote code execution)[1], this specific PoC is at most a DoS (denial of service). There's more work needed to bypass mitigations for it to be actually usable as a RCE.
I'm actually really curious about how the ITW exploit for this CVE worked; the OOB write is quite obvious in hindsight but going from OOB write to execution on iOS is very much not easy these days, and going from OOB write to sandbox escape should be extremely hard, especially since I thought (?) all image previews in iMessage should be behind BlastDoor. There's a lot of interesting stuff that's still missing here.
Surprised to see no patch available for watchOS, which can also receive images via iMessage. Not important enough to patch, or not vulnerable, or just not exploited in the wild yet?
ELEGANTBOUNCER is a detection tool for file-based mobile exploits. It employs an innovative approach for advanced file-based threat identification, eliminating the need for in-the-wild samples and outperforming traditional methods based on regular expressions or IOCs. At present, it primarily targets the identification of mobile vulnerabilities such as FORCEDENTRY (CVE-2021-30860), BLASTPASS (CVE-2023-4863, CVE-2023-41064), and TRIANGULATION (CVE-2023-41990) [and recently added CVE-2025-43300].
> While reproducing the iOS ITW CVE-2025-43300 (support.apple.com/en-us/124925), we accidentally triggered another old DNG image parsing vulnerability. The analysis is still ongoing.
It's 2025, and Apple clearly still hasn't incorporated fuzzers in their CI and QA. Perhaps I am giving them too much credit in assuming they have any QA in the first place.
is it me or does ios have a myriad of cves in in the image processing/decoder stack? You'd think they'd sandbox in some kind of memory safe framework/lang by now?
24 comments
[ 3.3 ms ] story [ 48.6 ms ] thread0. https://advance-sec.com/#bounty
We recorded a podcast with Mark Dowd a year ago where he said nobody actually gets "list prices" for iOS full chain at $2.5MM (you can make considerably more than that by selling to multiple parties and by selling maintenance) --- and that's iOS, the highest-valued vulnerabilities.
The DNG file did have the 01 byte at `2FD00` (from xxd or hexdump -C). However it didn't have a byte position `3E40B`. I tried searching and there is literally no entry at that position. I found a 02 value at 3e40 but not at 3e40b. Is this a typo?
Where did you find it to try and repro?
[1] https://support.apple.com/en-us/124925
I'm actually really curious about how the ITW exploit for this CVE worked; the OOB write is quite obvious in hindsight but going from OOB write to execution on iOS is very much not easy these days, and going from OOB write to sandbox escape should be extremely hard, especially since I thought (?) all image previews in iMessage should be behind BlastDoor. There's a lot of interesting stuff that's still missing here.
macOS Ventura 13.7.8 | macOS Sonoma 14.7.8 | macOS Sequoia 15.6.1
iPadOS 17.7.10 | iPadOS 18.6.2 | iOS 18.6.2
Usually, its multiple CVE's in a security update.
Examples:
- https://support.apple.com/en-us/122375 (macOS Ventura 13.7.5)
- https://support.apple.com/en-us/122718 (macOS Ventura 13.7.6)
- https://support.apple.com/en-us/124151 (macOS Ventura 13.7.7)
--------------------------- References/Sources ---------------------------
[0] https://support.apple.com/en-us/124925 -> https://support.apple.com/en-us/124929 | (124925 -> 124929)
https://support.apple.com/en-us/100100
https://nvd.nist.gov/vuln/detail/CVE-2025-43300#vulnConfigur...
> For me, there is only lockdown mode. That is the Apple Experience.
iOS backups can be scanned for the presence of this CVE-2025-43300 DNG processing vulnerability, via OSS tool for iOS forensics, https://github.com/msuiche/elegant-bouncer | https://www.msuiche.com/posts/elegantbouncer-when-you-cant-g...
https://x.com/darknavyorg/status/1959271176062251333> While reproducing the iOS ITW CVE-2025-43300 (support.apple.com/en-us/124925), we accidentally triggered another old DNG image parsing vulnerability. The analysis is still ongoing.