Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

NSO Group iMessage Zero-Click Exploit – Patched by Apple

By: BreachQuest

iMessage zero-click exploit

On September 13, 2021, researchers at Citizen Labs published a report describing an iMessage zero-click exploit they code-named FORCEDENTRY (CVE-2021-30860). The exploit was discovered based on an analysis of an iPhone of a Saudi activist and does not require user interaction for delivery of the payload. The payload is believed to be the PEGASUS malware built by NSO.

Citizen Labs released the report to coincide with Apple publishing a patch to prevent vulnerability exploitation. All users with a Mac, iPhone, or Apple Watch are advised to update their systems immediately.

NSO’s Pegasus  — Discovery

Citizen Lab discovered, and Apple confirmed, a 0-day exploit in PDF processing. Specifically, the exploit is triggered through the CoreGraphics image rendering library. The exploit can be activated through iMessage without user interaction. In past exploits used by NSO, there has typically been some artifact of a message delivering the exploit. However, there would likely be no possibility the user would detect any anomaly in this case.

Severity Level – 7.8 High (NVD)

The iMessage exploit can be discovered without the need for a jailbreak by examining SMS messages attachments in an iTunes backup. Some threat actors might delete these attachments post-exploitation. Citizen Lab also disclosed a method to detect successful exploitation called CASCADEFAIL that highlights an anomaly in SQLite database tables that can be observed through an iTunes backup.

MDM and mobile security software are not sufficient to prevent the exploitation of this vulnerability. PEGASUS malware gives the threat actor practically complete control of an infected device.

Threat actors often accelerate exploitation when they know they are losing access to a vulnerability (e.g., when it is patched. This knowledge should motivate organizations to patch if they were otherwise considering delaying.

Vulnerability Disclosure & Patch

The vulnerability was reported to Apple on September 7, 2021, and the patch was released on September 13, 2021. Citizen Lab is not releasing specific details about how the exploit is triggered in the CoreGraphics library.

Exploitation has been occurring since at least February 2021. Given this fact and the speed of the release, it is entirely possible that Apple patched the specific exploit chain used by NSO while failing to mitigate the underlying vulnerability. If this is the case, we can expect NSO to investigate an alternative exploit chain and repackage it, knowing they are on borrowed time.

What’s Next? – Recommendations for Users

Here are a few considerable recommendations:

  • Update any impacted systems immediately. Currently, only iOS was observed being targeted in the wild, but WatchOS and MacOS are also vulnerable. Threat actors may reverse engineer the patch to target devices that do not receive updates quickly. The initial exploit is extremely difficult to discover and weaponize. But obtaining a working exploit from the patch is trivial for advanced threat actors.
  • On MacOS, consider deploying a firewall for outbound communication. Any successful exploitation would provide threat actors sufficient permissions to disable the firewall, but this functionality would typically be observed in a follow-on payload. A third-party firewall that blocks outbound communication is marginally more secure than the built-in option (though it is only security through obscurity).

If there is concern that a device was exploited, the best option is to restore the device to factory settings.

BreachQuest is reimagining incident response with an elite team of cybersecurity veterans. The BreachQuest team includes former NSA, DoD, and US Cyber Command operators that have serviced more than 40 percent of the Fortune 100. BreachQuest was founded in response to the growing threat of ransomware, offering organizations the ability to minimize the cost and downtime associated with breaches through a re-engineered approach to incident response and recovery.
Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights


BreachQuest Launches to Reimagine Cyber Incident Response with Seed Funding From Slow Ventures and Founders of Tinder and Lookout

Read more


BreachQuest Adds EMEA Support for DFIR and R&R

Read more