ELEGANTBOUNCER is a detection tool for file-based mobile exploits. It employs an innovative approach for advanced file-based threat identification, eliminating the need for in-the-wild samples and outperforming traditional methods based on regular expressions or IOCs. At present, it primarily targets the identification of mobile vulnerabilities such as FORCEDENTRY (CVE-2021-30860), BLASTPASS (CVE-2023-4863, CVE-2023-41064), and TRIANGULATION (CVE-2023-41990) [and recently added CVE-2025-43300].
> While reproducing the iOS ITW CVE-2025-43300 (support.apple.com/en-us/124925), we accidentally triggered another old DNG image parsing vulnerability. The analysis is still ongoing.
Note that even though the CVE is for a RCE (remote code execution)[1], this specific PoC is at most a DoS (denial of service). There's more work needed to bypass mitigations for it to be actually usable as a RCE.
is it me or does ios have a myriad of cves in in the image processing/decoder stack? You'd think they'd sandbox in some kind of memory safe framework/lang by now?
Surprised to see no patch available for watchOS, which can also receive images via iMessage. Not important enough to patch, or not vulnerable, or just not exploited in the wild yet?
I'm actually really curious about how the ITW exploit for this CVE worked; the OOB write is quite obvious in hindsight but going from OOB write to execution on iOS is very much not easy these days, and going from OOB write to sandbox escape should be extremely hard, especially since I thought (?) all image previews in iMessage should be behind BlastDoor. There's a lot of interesting stuff that's still missing here.
> I'm actually really curious about how the ITW exploit for this CVE worked
It's really weird to see only a single OOB write patched for a full 0-click chain in the wild - how did they get code execution? PAC+ASLR bypass? Sandbox escape/kernel escalation?
Literally only RawCamera is patched in the update - were the other bugs in the chain already patched? Too difficult to patch immediately? (ie - close the front door while working on replacing the other locks?)? Still unknown? (ie - found a crash dump from RawCamera but didn't get as sample of the full chain?)
It's 2025, and Apple clearly still hasn't incorporated fuzzers in their CI and QA. Perhaps I am giving them too much credit in assuming they have any QA in the first place.
This might be a weird corner case where Apple would outbid the grey market, but generally even though Apple comes in lower than the grey market (for these very specific kinds of vulnerabilities), the term sheets are different, and the rest of the terms tend to favor going with Apple.
Seems like it was major enough that it was the lone patch[0] in all active Apple OS's:
macOS Ventura 13.7.8 | macOS Sonoma 14.7.8 | macOS Sequoia 15.6.1
iPadOS 17.7.10 | iPadOS 18.6.2 | iOS 18.6.2
Usually, its multiple CVE's in a security update.
Examples:
- https://support.apple.com/en-us/122375 (macOS Ventura 13.7.5)
- https://support.apple.com/en-us/122718 (macOS Ventura 13.7.6)
- https://support.apple.com/en-us/124151 (macOS Ventura 13.7.7)
--------------------------- References/Sources ---------------------------
[0] https://support.apple.com/en-us/124925 -> https://support.apple.com/en-us/124929 | (124925 -> 124929)
https://support.apple.com/en-us/100100
https://nvd.nist.gov/vuln/detail/CVE-2025-43300#vulnConfigur...
For iOS defense, enable Lockdown Mode and reboot daily to evict non-persistent malware, https://www.youtube.com/watch?v=fAhTPMmvrB0
> For me, there is only lockdown mode. That is the Apple Experience.
iOS backups can be scanned for the presence of this CVE-2025-43300 DNG processing vulnerability, via OSS tool for iOS forensics, https://github.com/msuiche/elegant-bouncer | https://www.msuiche.com/posts/elegantbouncer-when-you-cant-g...
https://x.com/darknavyorg/status/1959271176062251333> While reproducing the iOS ITW CVE-2025-43300 (support.apple.com/en-us/124925), we accidentally triggered another old DNG image parsing vulnerability. The analysis is still ongoing.
Note that even though the CVE is for a RCE (remote code execution)[1], this specific PoC is at most a DoS (denial of service). There's more work needed to bypass mitigations for it to be actually usable as a RCE.
[1] https://support.apple.com/en-us/124925
How do people even find these types of bugs? Is it just years and years experience allowing you to know where to look?
is it me or does ios have a myriad of cves in in the image processing/decoder stack? You'd think they'd sandbox in some kind of memory safe framework/lang by now?
Look up iMessage's "blastdoor" sandbox: https://support.apple.com/guide/security/blastdoor-for-messa...
Surprised to see no patch available for watchOS, which can also receive images via iMessage. Not important enough to patch, or not vulnerable, or just not exploited in the wild yet?
I AirDropped the PoC to my vulnerable iPhone. It didn't cause a crash until I tried to edit it in the Photos app.
Where's the 0-click or the RCE here?
I'm actually really curious about how the ITW exploit for this CVE worked; the OOB write is quite obvious in hindsight but going from OOB write to execution on iOS is very much not easy these days, and going from OOB write to sandbox escape should be extremely hard, especially since I thought (?) all image previews in iMessage should be behind BlastDoor. There's a lot of interesting stuff that's still missing here.
>Where's the 0-click or the RCE here?
See my other comment. There's an exploit in the wild that uses this bug to get RCE, but this specific example just causes a crash.
Yes, that's what I'm referring to with
> I'm actually really curious about how the ITW exploit for this CVE worked
It's really weird to see only a single OOB write patched for a full 0-click chain in the wild - how did they get code execution? PAC+ASLR bypass? Sandbox escape/kernel escalation?
Literally only RawCamera is patched in the update - were the other bugs in the chain already patched? Too difficult to patch immediately? (ie - close the front door while working on replacing the other locks?)? Still unknown? (ie - found a crash dump from RawCamera but didn't get as sample of the full chain?)
It's 2025, and Apple clearly still hasn't incorporated fuzzers in their CI and QA. Perhaps I am giving them too much credit in assuming they have any QA in the first place.
I have no idea what you're talking about; Apple has one of the largest and most sophisticated software security practices on the planet.
Oh, so we'll get another jailbreak soon? Wow, thanks [whatever Israeli agency/company is behind this] :)
I wonder how much this would be worth for Zerodium
$0, given it's patched in ios 18.6.2
And given that Zerodium has shut down.
Before that obviously. Possibly pc meant to ask if the “finder” would have gone to them instead of dealing with Apple directly.
The AirDrop requirement probably decreases its value substantially, but I think all these kinds of questions are kind of tricky to reason about:
https://news.ycombinator.com/item?id=43025038
This might be a weird corner case where Apple would outbid the grey market, but generally even though Apple comes in lower than the grey market (for these very specific kinds of vulnerabilities), the term sheets are different, and the rest of the terms tend to favor going with Apple.
$0, since I don't think Zerodium still exists.
Does this affect any of the iOS, iPadOS macOS, tvOS, watchOS 26 Beta?
Apple patched it on August 20, so presumably any release from after this date is not vulnerable.
Dang that's so cool!