Login Sign Up

CVE-2023-32359

7.5 HIGH

📋 TL;DR

This vulnerability in iOS/iPadOS VoiceOver accessibility feature could expose user passwords by reading them aloud. It affects users with VoiceOver enabled on unpatched Apple mobile devices. The issue allows sensitive information disclosure through the screen reader functionality.

💻 Affected Systems

Products:
  • iOS
  • iPadOS
Versions: Versions prior to iOS 16.7.2 and iPadOS 16.7.2
Operating Systems: iOS, iPadOS
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when VoiceOver accessibility feature is enabled. Default configuration has VoiceOver disabled.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical access or malware could capture passwords read aloud by VoiceOver, leading to account compromise and credential theft.

🟠

Likely Case

Accidental exposure of passwords when VoiceOver is active, potentially revealing credentials to nearby individuals in shared spaces.

🟢

If Mitigated

With VoiceOver disabled or device patched, no password exposure occurs through this vector.

🌐 Internet-Facing: LOW - Requires local access or malware on device, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Physical device access or installed malware required, but could affect corporate mobile devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires VoiceOver to be enabled and user interaction or malware to trigger the password field reading.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 16.7.2, iPadOS 16.7.2

Vendor Advisory: https://support.apple.com/en-us/HT213981

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Tap General. 3. Tap Software Update. 4. Install iOS 16.7.2 or iPadOS 16.7.2 update. 5. Restart device when prompted.

🔧 Temporary Workarounds

Disable VoiceOver

ios

Temporarily disable VoiceOver accessibility feature until patching is possible

Settings > Accessibility > VoiceOver > Toggle OFF

🧯 If You Can't Patch

  • Disable VoiceOver accessibility feature on all affected devices
  • Implement device access controls and monitor for unauthorized physical access

🔍 How to Verify

Check if Vulnerable:

Check iOS/iPadOS version in Settings > General > About. If version is below 16.7.2 and VoiceOver is enabled, device is vulnerable.

Check Version:

Settings > General > About > Version

Verify Fix Applied:

Confirm iOS/iPadOS version is 16.7.2 or later in Settings > General > About

📡 Detection & Monitoring

Log Indicators:

  • MDM logs showing VoiceOver activation on vulnerable versions
  • Accessibility service logs showing unexpected VoiceOver usage

Network Indicators:

  • No network-based indicators for this local vulnerability

SIEM Query:

device.os.version < "16.7.2" AND accessibility.voiceover.enabled = true

📊 Metadata

CVE ID: CVE-2023-32359
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON