Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Researchers: Apple Quietly Patched 0-Click Wi-Fi Code Execution Vulnerability in iOS

Apple in early 2021 quietly patched an iOS vulnerability that could lead to remote code execution when connecting to a Wi-Fi access point that had a specially crafted SSID.

Apple in early 2021 quietly patched an iOS vulnerability that could lead to remote code execution when connecting to a Wi-Fi access point that had a specially crafted SSID.

The issue was initially brought to light last month, when reverse engineer Carl Schou discovered that the Wi-Fi functionality on his iPhone would completely crash when connecting to a hotspot that had the SSID “%p%s%s%s%s%n.”

Wi-Fi would continuously restart even after disconnecting from the hotspot, with the functionality being restored only after resetting the network connection settings on the device.

The issue, which impacts all iOS devices running iOS 14.0 to 14.6, was deemed to be a format string bug, where iOS is considering the characters that follow “%” as string-format specifiers, meaning that they are processed as commands, rather than text.

According to security researchers with the ZecOps Mobile EDR Research team, however, the implications of the bug are deeper, as it could be exploited to achieve remote code execution without any interaction from the user.

To achieve remote code execution, the researchers say, the targeted device needs to have WiFi enabled and set to Auto-Join (the feature is enabled by default), for the device to be running a vulnerable iOS version, and for it to be in the proximity of a Wi-Fi access point that has a tailored name to trigger the bug.

An attack exploiting the vulnerability leverages the fact that an iOS device scans WiFi to join roughly every 3 seconds when the device is in use, or anywhere between 10 seconds to more than 1 minute if the screen is off.

Thus, an attacker could create a malicious access point, launch a beacon flooding attack against the target device (by broadcasting numerous Beacon frames, many access points appear on the victim device), cause the device’s Wi-Fi to crash and re-spawn, control the content of the stack to trigger a use-after-free and leverage it for remote code execution.

ZecOps discovered that an attacker may use the string “%@” in the malicious access point’s name, because it is treated as an Objective-C object, thus providing an attacker with control of the stack content.

“As long as the WiFi is turned on this vulnerability can be triggered. If the user is connected to an existing WiFi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this 0-click attack,” the researchers say.

ZecOps also explains that, if the malicious Wi-Fi access point is password protected and the device never joins the network, no data is saved to disk and, with the device’s Wi-Fi function being normal when no longer in range, the user may never notice they have been attacked.

“Since this vulnerability was widely published, and relatively easy to notice, we are highly confident that various threat actors have discovered the same information we did, and we would like to encourage an issuance of a patch as soon as possible,” ZecOps notes.

Apple silently patched the vulnerability in iOS 14.4, without assigning a CVE. However, the bug can still be abused to crash the Wi-Fi on devices running iOS 14.0 to iOS 14.6, leading to a denial of service condition, the researchers say.

Related: Apple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks

Related: FragAttacks: New Vulnerabilities Expose All Devices With Wi-Fi to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet