CVE-2023-42855

Vulnerability

CVE-2023-42855 is a state management issue in iOS and iPadOS that allows an attacker with physical access to persist an Apple ID on an erased device. The vulnerability affects iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later running versions prior to iOS 17.1 and iPadOS 17.1 [1]. The issue was addressed by improved checks in the operating system's account management logic [1].

Exploitation

An attacker must have physical access to the target device after it has been erased via the standard “Erase All Content and Settings” procedure. No authentication is required beyond the initial physical possession. The attacker could silently persist their own Apple ID or allow the previous owner’s ID to remain active, bypassing the expected clean state after erasure [1].

Impact

A successful exploit allows an attacker to maintain an Apple ID on a device that was presumed to be wiped of all user data and accounts. This could lead to unauthorized access to iCloud services, purchase history, and other account-linked data, effectively enabling account takeover with the same privilege level as the original account owner [1].

Mitigation

Apple fixed the vulnerability in iOS 17.1 and iPadOS 17.1, released on October 25, 2023 [1]. Users should update to the latest version. There is no workaround for unpatched devices; erasing such a device multiple times does not prevent exploitation. No CISA KEV listing was observed at the time of publication.