📄 Description (English)
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability — Apple iOS, iPadOS, and watchOS contain an unspecified vulnerability due to a validation issue affecting Wallet in which a maliciously crafted attachment may result in code execution. This vulnerability was chained with CVE-2023-41064.
🤖 AI Executive Summary
CVE-2023-41061 is a critical zero-click code execution vulnerability in Apple's Wallet application affecting iOS, iPadOS, and watchOS, exploitable via a maliciously crafted attachment without any user interaction. This vulnerability was actively chained with CVE-2023-41064 (a buffer overflow in ImageIO) as part of the BLASTPASS exploit chain, used to deploy NSO Group's Pegasus spyware. With a CVSS score of 9.0 and confirmed in-the-wild exploitation, this represents an immediate and severe threat to any organization relying on Apple mobile devices. Immediate patching is critical as exploit code is known to exist and has been weaponized in targeted attacks.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 16, 2026 20:37
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses an exceptionally high risk to Saudi organizations given the widespread use of Apple devices across all sectors. Government and NCA-regulated entities are at elevated risk as Pegasus spyware has historically targeted Saudi government officials, journalists, and activists. ARAMCO and energy sector executives using iPhones for operational communications face targeted espionage risks. SAMA-regulated banking institutions risk credential theft and financial data exfiltration via compromised devices. Telecom providers such as STC face risks of network credential compromise through infected executive devices. The zero-click nature means no user awareness or training can mitigate this threat — only patching is effective. Saudi Arabia has been previously identified as a Pegasus customer and target country, making this vulnerability particularly relevant to the Kingdom's threat landscape.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecom
Healthcare
Defense
Media
Legal & Judiciary
⚖️ Saudi Risk Score (AI)
9.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Apply Apple security updates immediately: iOS 16.6.1, iPadOS 16.6.1, watchOS 9.6.2 or later
2. Enable Lockdown Mode on high-risk devices (executives, government officials, critical infrastructure personnel) via Settings > Privacy & Security > Lockdown Mode
3. Audit all Apple devices in the environment for patch compliance using MDM solutions (Jamf, Microsoft Intune)
4. Isolate any devices suspected of compromise from corporate networks immediately
PATCHING GUIDANCE:
- Update to iOS 16.6.1 / iPadOS 16.6.1 / watchOS 9.6.2 at minimum
- Preferred: Update to latest available iOS/iPadOS/watchOS version
- Force updates via MDM policy for all managed devices
- Establish 48-hour SLA for critical Apple patches going forward
COMPENSATING CONTROLS:
- Enable Apple Lockdown Mode for high-value targets if immediate patching is not possible
- Restrict iMessage and FaceTime on corporate devices via MDM until patched
- Block unknown attachment types at email gateway and MDM level
- Implement network segmentation to limit blast radius of compromised mobile devices
- Deploy Mobile Threat Defense (MTD) solutions (Lookout, Zimperium, Microsoft Defender for Endpoint on iOS)
DETECTION:
- Use iMazing or MVT (Mobile Verification Toolkit) to scan devices for Pegasus indicators of compromise
- Monitor for anomalous data exfiltration from mobile device management logs
- Check Apple Sysdiagnose logs for suspicious Wallet process activity
- SIEM rule: Alert on MDM non-compliance for critical Apple patches beyond 48 hours
- Monitor network traffic from mobile devices for connections to known Pegasus C2 infrastructure
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تطبيق تحديثات أمان Apple فوراً: iOS 16.6.1 وiPadOS 16.6.1 وwatchOS 9.6.2 أو الإصدارات الأحدث
2. تفعيل وضع Lockdown Mode على الأجهزة عالية الخطورة (المديرون التنفيذيون، المسؤولون الحكوميون، موظفو البنية التحتية الحيوية) عبر الإعدادات > الخصوصية والأمان > وضع القفل
3. مراجعة جميع أجهزة Apple في البيئة للتحقق من الامتثال للتحديثات باستخدام حلول MDM مثل Jamf أو Microsoft Intune
4. عزل أي أجهزة يُشتبه في اختراقها عن شبكات الشركة فوراً
إرشادات التصحيح:
- التحديث إلى iOS 16.6.1 / iPadOS 16.6.1 / watchOS 9.6.2 كحد أدنى
- يُفضل التحديث إلى أحدث إصدار متاح من iOS/iPadOS/watchOS
- فرض التحديثات عبر سياسة MDM لجميع الأجهزة المُدارة
- وضع اتفاقية مستوى خدمة مدتها 48 ساعة لتطبيق تحديثات Apple الحرجة مستقبلاً
ضوابط التعويض:
- تفعيل وضع Lockdown Mode لأصحاب القيمة العالية إذا تعذّر التصحيح الفوري
- تقييد iMessage وFaceTime على أجهزة الشركة عبر MDM حتى يتم التصحيح
- حظر أنواع المرفقات غير المعروفة على بوابة البريد الإلكتروني ومستوى MDM
- تطبيق تجزئة الشبكة للحد من نطاق تأثير الأجهزة المحمولة المخترقة
- نشر حلول Mobile Threat Defense مثل Lookout أو Zimperium أو Microsoft Defender for Endpoint على iOS
الكشف والرصد:
- استخدام iMazing أو MVT للبحث عن مؤشرات اختراق Pegasus على الأجهزة
- مراقبة عمليات تسريب البيانات غير الطبيعية من سجلات إدارة الأجهزة المحمولة
- فحص سجلات Apple Sysdiagnose للكشف عن نشاط مشبوه في عملية Wallet
- قاعدة SIEM: تنبيه عند عدم الامتثال لتحديثات Apple الحرجة بعد مرور 48 ساعة
- مراقبة حركة الشبكة من الأجهزة المحمولة للكشف عن الاتصالات ببنية C2 المعروفة لـ Pegasus
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-2-1: Cybersecurity Risk Management — critical mobile device vulnerability requiring immediate risk treatment
ECC-3-3: Patch Management — mandatory patching of critical vulnerabilities within defined SLA
ECC-3-2: Asset Management — mobile device inventory and patch compliance tracking
ECC-3-5: Mobile Device Security — MDM enforcement and mobile security controls
ECC-2-2: Cybersecurity Incident Management — potential Pegasus compromise requires incident response activation
🔵 SAMA CSF
Protect 3.3 — Vulnerability and Patch Management: Critical patch deployment within SAMA-mandated timelines
Protect 3.4 — Mobile Device Security: MDM controls and mobile threat defense deployment
Detect 4.1 — Continuous Monitoring: Mobile device threat detection and IOC monitoring
Respond 5.1 — Incident Response: Activation of IR procedures for potential Pegasus compromise
Identify 2.1 — Asset Management: Complete inventory of Apple mobile devices
🟡 ISO 27001:2022
A.8.8 — Management of technical vulnerabilities: Timely identification and remediation of critical Apple vulnerability
A.8.1 — User endpoint devices: Mobile device security policy enforcement
A.5.30 — ICT readiness for business continuity: Ensuring patched devices for critical operations
A.8.16 — Monitoring activities: Detection of exploitation attempts and IOC monitoring
A.6.8 — Information security event reporting: Reporting of suspected Pegasus compromise
🟣 PCI DSS v4.0
Requirement 6.3 — Security vulnerabilities are identified and addressed: Critical patch deployment
Requirement 6.3.3 — All system components are protected from known vulnerabilities by installing applicable security patches
Requirement 12.3 — Hardware and software technologies are reviewed to protect against known vulnerabilities
Requirement 8.2 — User identification and authentication: Risk of credential theft via compromised payment-handling devices
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Apple:iOS, iPadOS, and watchOS