Vulners
Lucene search
📄 Glass Cage Zero-Click iMessage Exploit Details
| Reporter | Title | Published | Views | Family All 323 |
|---|---|---|---|---|
 | Exploit for Out-of-bounds Write in Apple Safari | 11 Jul 202514:01 | – | githubexploit |
| Exploit for Use After Free in Apple Ipados | 23 Aug 202505:08 | – | githubexploit |
| Exploit for Out-of-bounds Write in Apple Safari | 30 Aug 202502:21 | – | githubexploit |
 | Security Bulletin: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions., affect watsonx.data | 30 Jun 202510:25 | – | ibm |
 | CVE-2025-24085 | 27 Jan 202500:00 | – | attackerkb |
| CVE-2025-24201 | 11 Mar 202500:00 | – | attackerkb |
 | Amazon Linux 2 : webkitgtk4, --advisory ALAS2-2025-2869 (ALAS-2025-2869) | 29 May 202500:00 | – | nessus |
| Alibaba Cloud Linux 3 : 0046: webkit2gtk3 (ALINUX3-SA-2025:0046) | 14 May 202500:00 | – | nessus |
| AlmaLinux 8 : webkit2gtk3 (ALSA-2025:2863) | 19 Mar 202500:00 | – | nessus |
| AlmaLinux 9 : webkit2gtk3 (ALSA-2025:2864) | 19 Mar 202500:00 | – | nessus |
10
"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking
CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885)
Author: Joseph Goydish II
Date: 06/10/2025
Release Type: Full Disclosure
Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery)
Delivery Vector: iMessage (default configuration)
Impact: Remote Code Execution, Privilege Escalation, Keychain Exfiltration,
Persistent Access, Optional Device Bricking
----------------------------------------------------------------------
Summary:
In December 2024, I discovered a previously undocumented zero-click exploit
chain targeting iOS 18.2. The vulnerability chain, dubbed "Glass Cage," enables
an attacker to compromise a device silently by sending a single malicious PNG
image via iMessage.
The exploit bypasses multiple layers of Apple's defenses, including BlastDoor,
WebKit sandboxing, and CoreMedia memory protections. Once triggered, the
payload escalates to kernel-level access, extracts iCloud Keychain data,
alters Wi-Fi proxy settings, establishes persistence, and can optionally
irreversibly brick the device.
This attack chain resulted in the discovery of two CVEs:
- CVE-2025-24085: CoreMedia use-after-free (kernel-level code execution)
Patched by Apple on January 27, 2025
- CVE-2025-24201: WebKit path injection (RCE via asset misresolution)
Patched by Apple on March 11, 2025
Neither CVE was attributed to me, and MITRE did not respond to my direct CVE
requests. I submitted the CoreMedia issue to CNVD, which acknowledged it as
CNVD-2025-07885 and issued certificate CNVD-YCGO-202504012519.
----------------------------------------------------------------------
Technical Summary:
- BlastDoor bypass via malformed HEIF/ASTC metadata
- QuickLook sandbox escape via in-process thumbnail rendering
- CVE-2025-24201: WebKit path injection -> remote code execution
- CVE-2025-24085 (also CNVD-2025-07885): CoreMedia use-after-free -> kernel
execution
- Persistence via unauthorized launchd daemon
- Optional device bricking via IODeviceTree parameter manipulation
----------------------------------------------------------------------
Reproduction:
1. Craft HEIF image with malformed EXIF and ASTC decoder parameters
2. Wrap in WebP container to evade MIME filters
3. Send via iMessage to a default iOS 18.2 device
4. Preview pipeline triggers exploit chain automatically
5. Achieves code execution, kernel escalation, persistence, and optional
bricking
----------------------------------------------------------------------
Impact:
- Full remote device takeover with zero user interaction
- Kernel-level code execution
- iCloud Keychain and secret exfiltration
- Wi-Fi proxy hijack via wifid manipulation
- Persistent launch daemon injection
- Optional device bricking as a cleanup payload
- Forensic evasion through log suppression and timestamp manipulation
----------------------------------------------------------------------
Disclosure Timeline:
- Dec 18, 2024: Discovered in-the-wild on iOS 18.2
Reported to Apple (Report ID: OE19648727267113)
- Dec 19–25, 2024: Multiple follow-ups and log/video submissions to Apple
- Jan 9, 2025: Re-submitted to Apple and reported to US-CERT
- Jan 27, 2025: Apple patches CVE-2025-24085 (CoreMedia use-after-free)
- Mar 11, 2025: Apple patches CVE-2025-24201 (WebKit path injection)
- MITRE did not respond to CVE requests; neither CVE attributed to me
- Apr 2025: CNVD registers CoreMedia UAF as CNVD-2025-07885
- Jun 2025: Full public disclosure due to vendor silence and lack of credit
----------------------------------------------------------------------
Vendor Communication Summary:
Between Dec 18, 2024 and Jan 6, 2025, I maintained active communication with Apple
Product Security. I provided:
- A working exploit and secure download link
- Timestamped logs demonstrating iCloud Keychain and Contacts access
- Syslogs confirming activity from CoreMedia, QuickLook, and locationd
- Video evidence and forensic breakdowns
- Logs verifying access to Contacts, Biome resources, and geolocation data
- Confirmation of BlastDoor sandbox bypass during message preview
- Multiple follow-ups requesting clarification on what was needed for Apple
to begin investigation
Despite these efforts, Apple never confirmed the nature of the zero-day, nor
attributed either CVE to my original submission. MITRE did not respond to my
CVE requests. CNVD independently validated and credited the CoreMedia
discovery as CNVD-2025-07885.
In the absence of vendor attribution, international recognition via CNVD establishes verifiable authorship.
----------------------------------------------------------------------
Certification:
The CoreMedia vulnerability was formally recognized by the China National
Vulnerability Database (CNVD) under the ID CNVD-2025-07885.
Certificate ID: CNVD-YCGO-202504012519
Attached in PDF format for verification.
----------------------------------------------------------------------
Full Technical Disclosure:
[Glass Cage iOS Attack Chain](https://weareapartyof1.substack.com/p/glass-cage-zero-day-imessage-attack)
----------------------------------------------------------------------
Request for Feedback:
If you have additional insights, independent validation, or questions about
any aspect of this disclosure; I welcome peer review, reproduction, and independent validation to strengthen the public record this disclosure creates.
----------------------------------------------------------------------
Contact:
Joseph Goydish II
[email protected]
https://www.linkedin.com/in/josephg007/
----------------------------------------------------------------------Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2025 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 3.17.8 - 8.8
EPSS0.13072