Zero-click iMessage Pegasus exploit patched in iOS 16.6.1 update

Article Hero Image

Apple’s operating system updates on Thursday patched an exploit chain capable of compromising iOS 16.6 devices with the Pegasus spyware without any interaction from the victim.

The exploit was discovered on an iPhone owned by an individual employed by a Washington DC-based civil society organization. The exploit was used to deliver NSO Group’s Pegasus mercenary spyware.

Toronto’s Citizen Lab states that the exploit involves PassKit containing “malicious images sent from an attacker iMessage account to the victim.”

Citizen Lab disclosed their findings to Apple, who promptly issued CVE-2023-41064 and CVE-2023-41061 related to the exploit chain. The iOS 16.6.1 patch fixes the security gap, and Thursday’s report from Citizen Lab confirms that.

Both Citizen Lab and AppleInsider recommend that iPhone owners update their devices as soon as feasible. Users can download the security fix by opening the Settings app, tapping Software Update, and installing iOS 16.6.1 from the menu.

The security researchers will publish a more detailed discussion of the exploit chain in the future.


Ad - Starter Web Hosting from SiteGround - The easiest start for your website. Click here to learn more.


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top