CVE-2024-23282 is a vulnerability identified in Apple’s iOS and iPadOS platforms that allows a maliciously crafted email to initiate FaceTime calls without explicit user authorization. The root cause lies in insufficient validation checks when processing email content that can trigger FaceTime call initiation. This flaw enables an attacker to send a specially designed email that, when opened or previewed by the user, can start a FaceTime call without the user’s consent or interaction beyond opening the email. The vulnerability affects multiple Apple operating systems, including iOS, iPadOS, macOS Sonoma, and watchOS, with patches released in versions iOS 16.7.8, iPadOS 16.7.8, iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and watchOS 10.5. The CVSS v3.1 base score is 5.5, reflecting medium severity, with an attack vector of local (requiring user interaction), low attack complexity, no privileges required, and user interaction necessary. The impact primarily compromises confidentiality by allowing unauthorized initiation of FaceTime calls, potentially leading to privacy violations. There is no impact on system availability or integrity. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-552, which relates to exposure of sensitive information to an unauthorized actor due to improper authorization checks. The fix involves improved validation and authorization checks to ensure FaceTime calls cannot be initiated without explicit user consent.

The primary impact of CVE-2024-23282 is on user privacy and confidentiality. Unauthorized initiation of FaceTime calls can lead to covert audio or video surveillance, exposing sensitive conversations or environments without user knowledge. This can have serious implications for individuals and organizations, especially those handling sensitive or confidential information. While the vulnerability does not affect system integrity or availability, the breach of privacy can undermine trust in Apple devices and services. For organizations, this could lead to data leakage, compliance violations (e.g., GDPR, HIPAA), and reputational damage. The requirement for user interaction (opening or previewing the malicious email) limits the ease of exploitation but does not eliminate risk, especially in targeted phishing campaigns. The lack of known exploits in the wild suggests limited current threat but does not preclude future exploitation. The vulnerability affects a broad range of Apple devices globally, potentially impacting millions of users and organizations relying on Apple’s ecosystem for communication.

Organizations and users should immediately apply the security updates released by Apple in iOS 16.7.8, iPadOS 16.7.8, iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and watchOS 10.5 to remediate this vulnerability. Beyond patching, organizations should implement email security best practices such as advanced phishing detection and filtering to reduce the likelihood of malicious emails reaching end users. User awareness training should emphasize caution when opening or previewing emails from unknown or suspicious sources, especially those containing unexpected communication requests. Disabling email preview panes or configuring mail clients to not automatically load remote content can reduce exposure. Network monitoring for unusual FaceTime call patterns or spikes may help detect exploitation attempts. For high-security environments, consider restricting FaceTime usage or implementing endpoint security solutions that can detect anomalous application behavior. Regularly review and update security policies to incorporate emerging threats related to communication applications.