Login Sign Up

CVE-2023-23526

9.8 CRITICAL

📋 TL;DR

This vulnerability allows malicious files downloaded from iCloud shared-by-me folders to bypass Gatekeeper security checks on Apple devices. It affects macOS, iOS, and iPadOS users who download files from their own iCloud shared folders, potentially enabling arbitrary code execution.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
Versions: Versions before macOS Ventura 13.3, iOS 16.4, and iPadOS 16.4
Operating Systems: macOS, iOS, iPadOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects files downloaded from the user's own iCloud shared-by-me folders, not files shared by others.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary code with user privileges, potentially leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Users downloading malicious files from their own iCloud shared folders could have malware bypass security checks and execute on their devices.

🟢

If Mitigated

With Gatekeeper functioning properly, malicious files would be blocked or require explicit user approval to run.

🌐 Internet-Facing: MEDIUM - Requires user interaction (downloading files) but leverages cloud storage infrastructure.
🏢 Internal Only: LOW - Primarily affects individual user devices rather than internal network infrastructure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to download a malicious file from their own iCloud shared folder. No authentication bypass needed beyond the Gatekeeper bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Ventura 13.3, iOS 16.4, iPadOS 16.4

Vendor Advisory: https://support.apple.com/en-us/HT213670

Restart Required: Yes

Instructions:

1. Open System Settings (macOS) or Settings (iOS/iPadOS). 2. Navigate to General > Software Update. 3. Install the available update to macOS 13.3, iOS 16.4, or iPadOS 16.4 or later. 4. Restart your device when prompted.

🔧 Temporary Workarounds

Disable iCloud File Sharing

all

Temporarily disable iCloud file sharing to prevent downloading files from shared-by-me folders.

Avoid Downloading from iCloud Shared Folders

all

Do not download files from your own iCloud shared folders until patched.

🧯 If You Can't Patch

  • Avoid downloading files from iCloud shared-by-me folders
  • Use alternative file sharing methods (email, USB drives, other cloud services)

🔍 How to Verify

Check if Vulnerable:

Check macOS version: System Settings > General > About. Check iOS/iPadOS version: Settings > General > About. If version is below macOS 13.3, iOS 16.4, or iPadOS 16.4, device is vulnerable.

Check Version:

macOS: sw_vers -productVersion, iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify version is macOS 13.3 or later, iOS 16.4 or later, or iPadOS 16.4 or later. Test by downloading a file from iCloud shared-by-me folder - Gatekeeper should properly check it.

📡 Detection & Monitoring

Log Indicators:

  • Gatekeeper bypass logs, unexpected file executions from iCloud downloads

Network Indicators:

  • Connections to iCloud servers followed by unexpected local file execution

SIEM Query:

Process execution where parent process involves iCloud file download or Gatekeeper bypass events

📊 Metadata

CVE ID: CVE-2023-23526
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 8, 2023
Last Updated: January 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON