HighCISA KEVExploited in the wildPublic exploit

Apple kernel memory protections bypass in iOS/iPadOS/macOS/tvOS/watchOS/visionOS

IdentifiersCVE-2024-23225CWE-787· Out-of-bounds Write

CVE-2024-23225 is a memory corruption vulnerability in Apple operating systems. Apple states the issue was addressed with improved validation. The flaw can allow an attacker who already has arbitrary kernel read and write capability to bypass kernel memory protections. Public reporting and exploit-kit references identify this CVE as a Page Protection Layer (PPL) bypass used against iOS 17.0 through 17.3 under the exploit name "Sparrow." Apple released fixes in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, tvOS 17.4, visionOS 1.1, and watchOS 10.4. Apple also noted that the issue may have been exploited in the wild.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables bypass of kernel memory protections, undermining core kernel hardening boundaries. In practical exploit chains, this can be used to defeat PPL-style protections and facilitate deeper post-exploitation actions at kernel level, increasing the likelihood of full device compromise, persistence-enabling actions, and access to sensitive data or protected processes. Apple has indicated the vulnerability may have been exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting use of untrusted web content and enabling Apple Lockdown Mode for high-risk users where operationally feasible, since reporting on related exploit chains indicates Lockdown Mode can block Coruna-style attacks. Monitor for signs of exploit-chain activity and prioritize rapid upgrade of devices on affected versions. These measures are temporary risk reductions and do not replace installing Apple's security updates.

Remediation

Patch, then assume compromise.

Apply Apple's fixed releases: iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, tvOS 17.4, visionOS 1.1, and watchOS 10.4 or later. Prioritize patching exposed and high-risk devices, especially those running iOS 17.0 through 17.3. Ensure enterprise patch management covers all affected Apple platform families and verify update deployment success.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleIpad Osoperating_system

AppleIpadosoperating_system

AppleIphone Osoperating_system

AppleMacosoperating_system

AppleTvosoperating_system

AppleVisionosapplication

AppleWatchosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

breakglass intelNews

Apr 2, 2026

PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

An iOS vulnerability listed as exploited by the Coruna exploit kit.

security affairsNews

Mar 20, 2026

Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge

A PPL bypass vulnerability used by the Coruna exploit kit in iOS full-chain exploitation.

security affairsNews

Mar 12, 2026

Apple issues emergency fixes for Coruna flaws in older iOS versions

A PPL bypass vulnerability used in Coruna exploit chains to bypass iOS platform protections and enable later-stage compromise.

arstechnica securityNews

Mar 6, 2026

Feds take notice of iOS vulnerabilities exploited under mysterious circumstances - Ars Technica

An iOS PPL bypass vulnerability used in Coruna exploit chains affecting iOS 17.0–17.3.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence12

Every observed campaign linking this CVE to a named adversary.

Associated malware16

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-23225

NVD

nvd.nist.gov/vuln/detail/CVE-2024-23225

MITRE CWE · CWE-787

Out-of-bounds Write

Vendor Advisory

support.apple.com/en-us/120880

Vendor Advisory

support.apple.com/en-us/120881

Vendor Advisory

support.apple.com/en-us/120882

Vendor Advisory

support.apple.com/en-us/120883

Vendor Advisory

support.apple.com/en-us/120884

Vendor Advisory

support.apple.com/en-us/120886

Vendor Advisory

support.apple.com/en-us/120893

Vendor Advisory

support.apple.com/en-us/120895

Vendor Advisory

support.apple.com/en-us/HT214081

+17 more references

view more in app