Login Sign Up

CVE-2021-1748

8.8 HIGH

📋 TL;DR

This vulnerability allows arbitrary JavaScript code execution when processing malicious URLs due to improper input validation. It affects Apple iOS, iPadOS, tvOS, and watchOS devices. Attackers can exploit this to execute arbitrary code in the context of the affected application.

💻 Affected Systems

Products:
  • iOS
  • iPadOS
  • tvOS
  • watchOS
Versions: Versions prior to iOS 14.4, iPadOS 14.4, tvOS 14.4, watchOS 7.3
Operating Systems: iOS, iPadOS, tvOS, watchOS
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running affected versions are vulnerable by default when processing URLs.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing data theft, credential harvesting, and installation of persistent malware.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized access to device data through malicious web content.

🟢

If Mitigated

Limited impact with proper network segmentation and application sandboxing, though code execution still possible.

🌐 Internet-Facing: HIGH - Exploitable via malicious URLs accessible from the internet.
🏢 Internal Only: MEDIUM - Requires user interaction with malicious content, but internal phishing could facilitate exploitation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking malicious URL) but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 14.4, iPadOS 14.4, tvOS 14.4, watchOS 7.3

Vendor Advisory: https://support.apple.com/en-us/HT212146

Restart Required: Yes

Instructions:

1. Go to Settings > General > Software Update. 2. Download and install the available update. 3. Restart device when prompted.

🔧 Temporary Workarounds

Disable automatic URL processing

all

Configure devices to not automatically process URLs or use web content filters.

Network filtering

all

Block known malicious URLs at network perimeter using web filters or DNS security.

🧯 If You Can't Patch

  • Implement strict web content filtering to block malicious URLs
  • Educate users about phishing risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Check device version in Settings > General > About > Version. If version is below iOS 14.4, iPadOS 14.4, tvOS 14.4, or watchOS 7.3, device is vulnerable.

Check Version:

Not applicable - check via device settings interface

Verify Fix Applied:

Verify device version is iOS 14.4+, iPadOS 14.4+, tvOS 14.4+, or watchOS 7.3+ in Settings > General > About > Version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL processing patterns
  • JavaScript execution errors in web logs

Network Indicators:

  • Requests to known malicious domains delivering exploit payloads

SIEM Query:

Not specifically applicable - monitor for anomalous web traffic patterns

📊 Metadata

CVE ID: CVE-2021-1748
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: April 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-1748, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)