CVE-2023-41974 Splunk · SPL

Detect Apple iOS/iPadOS Use-After-Free Exploitation (CVE-2023-41974) in Splunk

Detects exploitation attempts and post-exploitation activity related to CVE-2023-41974, a use-after-free vulnerability in Apple iOS and iPadOS. This vulnerability allows an attacker to achieve arbitrary code execution, potentially leading to full device compromise. It is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Detection focuses on mobile device management telemetry, abnormal process behavior on managed Apple devices, and network indicators associated with mobile exploit frameworks.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Privilege Escalation

SPL Detection Query

Splunk (SPL)
spl 
index=mdm OR index=mobile_security sourcetype=apple_mdm OR sourcetype=jamf OR sourcetype=ms_intune
| eval is_ios = if(match(os_platform, "(?i)ios|ipados"), 1, 0)
| where is_ios=1
| eval suspicious_event = case(
    match(event_type, "(?i)jailbreak_detected|compliance_violation|device_compromised"), "jailbreak_or_compromise",
    match(event_type, "(?i)malware|exploit|shellcode"), "malware_indicator",
    match(dest_port, "^(4444|8080|8443|1337|5555)$"), "suspicious_outbound",
    true(), null()
)
| where isnotnull(suspicious_event)
| stats count by device_id, device_name, os_version, suspicious_event, src_ip, dest_ip, dest_port
| eval cve="CVE-2023-41974"
| table _time, device_name, os_version, suspicious_event, dest_ip, dest_port, count, cve
critical severity medium confidence

Searches MDM and mobile security logs for iOS/iPadOS devices exhibiting jailbreak detection alerts, compliance violations, or outbound connections to common exploit framework ports, indicative of CVE-2023-41974 exploitation.

Data Sources

Jamf ProMicrosoft IntuneApple MDM Protocol LogsMobile Threat Defense platforms

Required Sourcetypes

apple_mdmjamfms_intunemobile_threat_defense

False Positives & Tuning

  • Authorized jailbroken devices in a security research environment
  • MDM compliance checks triggering false jailbreak alerts on legitimate devices
  • Enterprise apps using non-standard ports for legitimate business traffic
  • Beta iOS builds that may trigger heuristic-based jailbreak detection

Other platforms for CVE-2023-41974

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate iOS MDM Jailbreak Alert with Suspicious Outbound Connection

    Expected signal: MDM log source should show a jailbreak_detected event for the simulated device; network logs should show an outbound TCP connection to port 4444 from the device IP

  2. Test 2Generate Compliance Violation and Network Anomaly via MDM API Simulation

    Expected signal: Splunk HEC should receive two events indexed under the apple_mdm sourcetype; search for device_id=sim-iphone-002 to verify ingestion

  3. Test 3Validate Detection Rule Against Static iOS Exploit Telemetry Sample

    Expected signal: Script outputs PASS messages for both suspicious port and jailbreak indicator checks; the JSON file contains three events representing a realistic post-exploitation sequence

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2023-41974 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Same Tactic: Initial Access

Popular Detections