CVE-2023-41974

Apple iOS/iPadOS Use-After-Free Exploitation (CVE-2023-41974)

Initial Access Execution Persistence Privilege Escalation Last updated:

Detects exploitation attempts and post-exploitation activity related to CVE-2023-41974, a use-after-free vulnerability in Apple iOS and iPadOS. This vulnerability allows an attacker to achieve arbitrary code execution, potentially leading to full device compromise. It is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Detection focuses on mobile device management telemetry, abnormal process behavior on managed Apple devices, and network indicators associated with mobile exploit frameworks.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Apple
Product
iOS and iPadOS

Weakness (CWE)

CWE-416

Timeline

Disclosed
March 5, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2023-41974 Apple iOS/iPadOS Use-After-Free Exploitation (CVE-2023-41974)?

Apple iOS/iPadOS Use-After-Free Exploitation (CVE-2023-41974) (CVE-2023-41974) maps to the Initial Access and Execution and Persistence and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Apple iOS/iPadOS Use-After-Free Exploitation (CVE-2023-41974), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Intune MDM, Azure AD Device Compliance. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Privilege Escalation
Microsoft Sentinel / Defender
kusto 
let SuspiciousAppleDeviceEvents = DeviceEvents
| where ActionType in ("ProcessCreated", "ProcessInjected", "MemoryAllocationFailed")
| where DeviceName has_any ("iPhone", "iPad") or OSPlatform == "iOS"
| where Timestamp > ago(7d);
let MDMAlerts = DeviceInfo
| where OSPlatform == "iOS"
| where isnotempty(OSVersion)
| join kind=inner (
    DeviceNetworkEvents
    | where RemotePort in (4444, 8080, 8443, 1337)
    | where ActionType == "ConnectionSuccess"
    | where Timestamp > ago(7d)
) on DeviceId
| project DeviceId, DeviceName, OSVersion, RemoteIP, RemotePort, Timestamp;
SuspiciousAppleDeviceEvents
| union MDMAlerts
| extend CVE = "CVE-2023-41974"
| project Timestamp, DeviceName, ActionType, RemoteIP, RemotePort, CVE

Detects suspicious process and network activity on managed iOS/iPadOS devices consistent with CVE-2023-41974 exploitation, including abnormal memory events and outbound connections to common post-exploitation ports.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Intune MDM Azure AD Device Compliance

Required Tables

DeviceEvents DeviceInfo DeviceNetworkEvents

False Positives

  • Legitimate MDM enrollment or device management traffic on common ports
  • Developer devices running debug builds may exhibit unusual memory patterns
  • VPN or proxy software on managed devices generating unusual network connections
  • Security scanning tools performing authorized vulnerability assessments

Sigma rule & cross-platform mapping

The detection logic for Apple iOS/iPadOS Use-After-Free Exploitation (CVE-2023-41974) (CVE-2023-41974) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2023-41974 Sigma rules on detection.fyi

Platform-specific guides for CVE-2023-41974

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate iOS MDM Jailbreak Alert with Suspicious Outbound Connection

    Expected signal: MDM log source should show a jailbreak_detected event for the simulated device; network logs should show an outbound TCP connection to port 4444 from the device IP

  2. Test 2Generate Compliance Violation and Network Anomaly via MDM API Simulation

    Expected signal: Splunk HEC should receive two events indexed under the apple_mdm sourcetype; search for device_id=sim-iphone-002 to verify ingestion

  3. Test 3Validate Detection Rule Against Static iOS Exploit Telemetry Sample

    Expected signal: Script outputs PASS messages for both suspicious port and jailbreak indicator checks; the JSON file contains three events representing a realistic post-exploitation sequence

Unlock Pro Content

Get the full detection package for CVE-2023-41974 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Same Tactic: Initial Access

Popular Detections