CVE-2022-22675
📋 TL;DR
CVE-2022-22675 is an out-of-bounds write vulnerability in Apple operating systems that allows an application to execute arbitrary code with kernel privileges. This vulnerability affects multiple Apple platforms including iOS, iPadOS, macOS, tvOS, and watchOS. Apple has reported that this issue may have been actively exploited in the wild.
💻 Affected Systems
- iOS
- iPadOS
- macOS
- tvOS
- watchOS
📦 What is this software?
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with kernel-level privileges, allowing attackers to install persistent malware, access all user data, bypass security controls, and maintain persistent access to the device.
Likely Case
Privilege escalation leading to data theft, surveillance capabilities, or installation of additional malicious payloads on compromised devices.
If Mitigated
Limited impact with proper network segmentation, endpoint protection, and user privilege restrictions, though kernel-level access remains highly dangerous.
🎯 Exploit Status
Apple confirmed active exploitation in the wild. Exploitation requires an attacker to have initial access to execute malicious code on the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1, iPadOS 15.4.1
Vendor Advisory: https://support.apple.com/en-us/HT213219
Restart Required: Yes
Instructions:
1. Open Settings app. 2. Navigate to General > Software Update. 3. Download and install the latest available update. 4. Restart device when prompted.
🧯 If You Can't Patch
- Implement strict application allowlisting to prevent unauthorized applications from executing
- Deploy endpoint detection and response (EDR) solutions with behavioral monitoring for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check device version in Settings > General > About > Version. Compare against patched versions listed in Apple advisories.Check Version:
On macOS: sw_vers -productVersion. On iOS/iPadOS: Check Settings > General > About > Version.Verify Fix Applied:
Verify device shows patched version number after update installation and restart.📡 Detection & Monitoring
Log Indicators:
- Unexpected kernel module loading
- Privilege escalation events
- Unusual process creation from userland to kernel space
Network Indicators:
- Connections to known malicious C2 servers following privilege escalation
SIEM Query:
Process creation where parent process has low privileges and child process has SYSTEM/root privileges on Apple devices🔗 References
- https://support.apple.com/en-us/HT213219
- https://support.apple.com/en-us/HT213220
- https://support.apple.com/en-us/HT213253
- https://support.apple.com/en-us/HT213254
- https://support.apple.com/en-us/HT213256
- https://support.apple.com/en-us/HT213219
- https://support.apple.com/en-us/HT213220
- https://support.apple.com/en-us/HT213253
- https://support.apple.com/en-us/HT213254
- https://support.apple.com/en-us/HT213256
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22675
