Full Report
On June 29 at REcon, Citizen Lab senior researcher Bill Marczak and co-presenter Daniel Roethlisberger will recount how they discovered a Pegasus exploit targeting iOS 10 devices back in 2017. They will describe their investigation, analyze the root cause of the vulnerability, detail how the exploit leveraged the vulnerability to gain code execution after boot, and explain how the vulnerability was mitigated.
Analysis Summary
This summary is based on the provided context describing a presentation announcement regarding a discovered Pegasus persistence exploit from 2017. Specific technical details, CVEs, or CVSS scores that would typically accompany a formal vulnerability disclosure are not present in this high-level announcement.
# Vulnerability: Pegasus Persistence Exploit Targeting iOS 10 (2017 Discovery)
## CVE Details
- CVE ID: Not specified in the provided text. (The article documents a discovery, not a formal CVE release.)
- CVSS Score: Not specified.
- CWE: Not specified.
## Affected Systems
- Products: Pegasus (Implied target systems are iOS devices running the vulnerable software).
- Versions: iOS 10 (Specific minimum/maximum vulnerable versions within iOS 10 are not detailed).
- Configurations: Not specified.
## Vulnerability Description
The vulnerability relates to a Pegasus exploit pathway discovered by Citizen Lab researchers concerning a persistence mechanism active around 2017. The exploit leveraged a root cause vulnerability to achieve code execution *after* the device had rebooted (persistence).
## Exploitation
- Status: The details imply successful exploitation against targets in the past (2017 discovery phase), but do not specify if it was exploited in the wild at that time or if a PoC is public now.
- Complexity: Not explicitly rated, but achieving persistence for zero-click malware like Pegasus suggests high complexity.
- Attack Vector: Not explicitly detailed, but typical zero-click Pegasus exploits often rely on zero-click network vectors.
## Impact
- Confidentiality: High (Implied, as Pegasus grants complete device access).
- Integrity: High (Implied, as code execution is achieved).
- Availability: Low to Medium (A payload persistence mechanism could potentially impact device stability or functionality).
## Remediation
### Patches
- Specific patch versions are not listed, but the presentation indicates the vulnerability was **mitigated** by the vendor (Apple) at some point following its discovery/analysis.
### Workarounds
- No specific workarounds are detailed in the announcement.
## Detection
- Detection methods focus on analyzing the exploit chain to understand how it achieved code execution after boot. Specific Indicators of Compromise (IOCs) are not provided in this summary announcement, but are likely covered in the linked presentation content.
## References
- Vendor advisories: None provided directly.
- Relevant links:
- Presentation Details: hXXps://cfp.recon.cx/recon-2025/talk/V8UDLZ/
- Event Information: hXXps://citizenlab.ca/2025/06/a-trip-to-ancient-babylon-unearthing-a-2017-pegasus-persistence-exploit/