← back
CVE-2019-6223

CVE-2019-6223

CVSS 7.5 HIGHEPSS 2.6%● KEV
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.5EPSS 2.6%KEV simPoC Nuclei Metasploit Patch
Lifecycle
05 Mar 2019Published on NVD
03 Nov 2021Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A flaw in Group FaceTime allowed the person starting a call to force someone to answer it without their consent. This was a serious privacy issue because people could be put into calls they didn't want to join.

Technical detail

A logic flaw in Group FaceTime call state management allowed an attacker (call initiator) to manipulate the call handling logic, causing recipients to be placed in an answered state without explicit user action. The attack required initiating a Group FaceTime call and exploiting improper state validation; the impact was unwanted call connection and potential privacy violation.

Summary generated and translated by AI from the official description.
A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. The initiator of a Group FaceTime call may be able to cause the recipient to answer.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Apple · iOSApple · macOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://support.apple.com/HT209520https://support.apple.com/HT209521https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6223