U.S. Cybersecurity Agency Issues Directive to Address Critical iPhone Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA), recognized as America’s premier cyber defense agency, has issued an urgent warning about a critical security flaw that affects Apple devices, including iPhones. The vulnerability, known as CVE-2022-48618, is currently under active exploitation and poses significant risks, prompting immediate action from users and organizations.
CVE-2022-48618 is a high-rated vulnerability affecting devices running certain versions of iOS, iPadOS, macOS, tvOS, and watchOS. This flaw is known to bypass pointer authentication, a security feature integral to Apple’s operating systems, creating a potential entry point for malicious actors. CISA’s warning extends beyond Federal Civilian Executive Branch (FCEB) agencies, urging all organizations to respond promptly to mitigate the threat.
FCEB agencies, in particular, face a strict 21-day deadline to patch their systems against CVE-2022-48618. This measure aims to fortify their networks against this longstanding threat, which dates back to at least December 2022, though it was publicly disclosed only recently, on January 9. The kernel vulnerability has been actively exploited in versions of iOS prior to 15.7.1. Apple has addressed the issue with patches in version 16.2 of iOS, iPadOS, and tvOS, as well as in macOS Venture 13.1 and watchOS 9.2. The release of iOS 16.2 marked a significant update, rectifying over 30 security vulnerabilities, including six critical ones within the iPhone’s kernel.
By adding CVE-2022-48618 to the Known Exploited Vulnerabilities (KEV) catalog, CISA underscores the severity of the threat posed by unpatched devices, not just to federal agencies but to the broader ecosystem. In accordance with Binding Operational Directive 22-01, agencies are mandated to “remediate identified vulnerabilities by the due date” once they are included in the KEV list. This directive illustrates the heightened vigilance and proactive approach required to safeguard against evolving cyber threats in an increasingly interconnected digital landscape.