The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday it’s requiring federal agencies to patch two Apple operating system vulnerabilities in the coming weeks, while recommending that all organizations prioritize deployment of the updates for iOS, macOS and iPadOS devices.
CISA said in a post that it has seen “evidence of active exploitation” for the two vulnerabilities affecting Apple products such as iPhone, Mac and iPad.
[Related: The Latest Zero-Day Vulnerabilities From Apple, Microsoft]
CISA ordered federal agencies to update affected devices by May 1 with the latest versions of iOS, macOS and iPadOS, which Apple released on Friday.
While the order only applies to Federal Civilian Executive Branch agencies, “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation” of actively exploited vulnerabilities such as the Apple OS flaws, the agency said in its post Monday.
The two vulnerabilities impact iPhones going back to the iPhone 8, Macs that run macOS Ventura and numerous models of iPad.
The zero-day vulnerabilities were patched in iOS 16.4.1, macOS Ventura 13.3.1 and iPadOS 16.4.1.
One of the vulnerabilities (tracked at CVE-2023-28206) can be utilized by an attacker to execute arbitrary code with kernel privileges on affected Apple devices, the company said. The other vulnerability (tracked at CVE-2023-28205) can enable arbitrary code execution by an attacker through persuading a user to load malicious web content, according to Apple.