While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, Citizen Lab researchers discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.

The Citizen Lab determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. We believe that FORCEDENTRY has been in use since at least February 2021.

The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”

Today, September 13th, Apple is releasing an update that patches CVE-2021-30860. Readers are urged to immediately update all Apple devices.

Read the full report.