CVE-2023-43000 is a use-after-free vulnerability in WebKit that affects client-side applications (Safari, iOS/iPadOS browsers, macOS Safari). Despite evidence of active exploitation, this requires user interaction to visit malicious websites and does not qualify as direct internet exploitation of public-facing applications.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: USER_INTERACTION
CVE Published: 2025-11-05
Added to CISA KEV: 2026-03-05 120 DAYS BETWEEN CVE AND KEV
CVE-2023-43000 is a use after free vulnerability (CWE-416) in the WebKit rendering engine. The flaw occurs when memory is freed but still referenced by the application, which can lead to memory corruption. In this specific case, the vulnerability could be triggered by processing specially crafted web content. Attackers could exploit this by luring users to a malicious website or injecting malicious content into a trusted site. Successful exploitation could result in arbitrary code execution within the context of the affected application, such as Safari or any app using WebKit for rendering.
This vulnerability is traded as CVE-2023-43000 since 09/14/2023. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $25k-$100k at the moment (estimation calculated on 11/05/2025).
The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It's not effective against the latest version of iOS.It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023. However, the security release notes were updated to include an entry for the vulnerability only on November 11, 2025. The third time the JavaScript framework was detected in the wild was in December 2025.
Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group.We collected WebKit RCEs, which included CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, before the server was shut down. We alerted and worked with CERT-UA to clean up all compromised websites. Full Exploit Chain Collection From Chinese Scam Websites.
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework. How to use the ...