Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Apple Wallet malicious attachment code execution

IdentifiersCVE-2023-41061CWE-20· Improper Input Validation

CVE-2023-41061 is an Apple Wallet/PassKit vulnerability affecting supported iOS, iPadOS, and watchOS devices prior to iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. Apple describes the root cause as a validation issue that was fixed with improved logic. Processing a maliciously crafted attachment in Wallet/PassKit can result in arbitrary code execution. Reporting around the vulnerability ties it to PassKit attachments delivered via iMessage as part of the BLASTPASS exploit chain, which Citizen Lab said was used in zero-click Pegasus spyware attacks against fully patched iPhones running iOS 16.6. Apple stated it is aware of reports that the issue may have been actively exploited in the wild.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to arbitrary code execution on the targeted Apple device. In reported in-the-wild activity, the flaw was used as part of a zero-click exploit chain associated with NSO Group Pegasus delivery, enabling device compromise without user interaction. Depending on the broader chain and post-exploitation tooling, this can enable surveillance, data access, and further compromise of the victim device.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to the known delivery vector by limiting or closely controlling iMessage use for high-risk users and treating unsolicited PassKit/Wallet attachments as hostile. For users at elevated risk, enable Lockdown Mode; Citizen Lab and Apple's Security Engineering and Architecture team stated they believe Lockdown Mode blocks this specific BLASTPASS attack chain. These measures are temporary risk reductions and do not replace installing the vendor patches.

Remediation

Patch, then assume compromise.

Apply Apple's security updates that fix CVE-2023-41061: iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 or later. Ensure all supported iPhone 8 and later devices, affected iPad models, and Apple Watch Series 4 and later are updated to patched releases. Because Apple reported possible active exploitation, patching should be prioritized immediately.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AppleIpadosoperating_system
AppleIphone Osoperating_system
AppleWatchosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
apple supportNews
Jan 24, 2026
About the security content of iOS 16.6.1 and iPadOS 16.6.1 - Apple Support

A validation flaw in Apple Wallet where a maliciously crafted attachment may result in arbitrary code execution; Apple notes reports of active exploitation.

Read more
apple supportNews
Nov 15, 2023
About the security content of iOS 16.6.1 and iPadOS 16.6.1 - Apple Support

A validation vulnerability in Apple Wallet that may allow arbitrary code execution via a maliciously crafted attachment.

Read more
apple supportNews
Nov 9, 2023
About the security content of watchOS 9.6.2 - Apple Support

A validation issue in Apple Wallet that could allow arbitrary code execution via a maliciously crafted attachment.

Read more
bleeping computerNews
Sep 21, 2023
Apple emergency updates fix 3 new zero-days exploited in attacks

A zero-day used as part of the BLASTPASS zero-click exploit chain to compromise iPhones.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-41061
NVD
nvd.nist.gov/vuln/detail/CVE-2023-41061
MITRE CWE · CWE-20
Improper Input Validation
Vendor Advisory
support.apple.com/en-us/HT213905
Vendor Advisory
support.apple.com/en-us/HT213907
Vendor Advisory
support.apple.com/kb/HT213905
Vendor Advisory
support.apple.com/kb/HT213907
Third Party Advisory
seclists.org/fulldisclosure/2023/Sep/4
Third Party Advisory
seclists.org/fulldisclosure/2023/Sep/5
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41061