VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 14, 2014· Updated May 6, 2026

CVE-2014-1267

CVE-2014-1267

Description

The Configuration Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 does not properly evaluate the expiration date of a mobile configuration profile, which allows attackers to bypass intended access restrictions by using a profile after the date has passed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

iOS before 7.1 and Apple TV before 6.1 fail to validate mobile configuration profile expiration, allowing use after expiry.

Vulnerability

The Configuration Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 does not properly evaluate the expiration date of a mobile configuration profile [1][2]. This allows a profile whose validity period has ended to still be treated as valid by the device. Affected versions include iOS versions prior to 7.1 on iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later, and Apple TV (2nd generation and later) prior to 6.1 [1][2].

Exploitation

An attacker who can install a mobile configuration profile on a target device (e.g., through social engineering, a malicious website, or physical access) can continue to have that profile honored even after its intended expiration date [1][2]. No additional authentication or privilege is required beyond the ability to install the profile originally. The attacker does not need to interact with the device again; the profile's settings remain active indefinitely despite the expiration field.

Impact

A successfully exploited configuration profile will bypass the access restrictions tied to its expiration date, allowing the attacker's desired settings (such as VPN configurations, passcode policies, or allowed Wi-Fi networks) to persist longer than intended [1][2]. This could lead to unauthorized access, persistent policy changes, or data exposure depending on the profile's permissions.

Mitigation

Apple addressed this issue in iOS 7.1 released on March 10, 2014, and Apple TV 6.1 released on March 10, 2014 [1][2]. Users should update their devices to these versions or later. There is no workaround disclosed in the available references. This CVE is not on the CISA KEV list.

References
  1. About the security content of iOS 7.1 - Apple Support
  2. About the security content of Apple TV 6.1 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12
  • Apple Inc./Iphone Os7 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=7.0.6
    • cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
  • Apple Inc./tvOS3 versions
    cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*range: <=6.0.2
    • cpe:2.3:o:apple:tvos:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.0.1:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <7.1
  • Apple Inc./Apple TVllm-fuzzy
    Range: <6.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.