Full Report
Wash your mouth out with digital soap Apple Intelligence, the personal AI system integrated into newer Macs, iPhones, and other iThings, can be hijacked using prompt injection, forcing the model into producing an attacker-controlled result and putting millions of users at risk, researchers have shown.…
Analysis Summary
# Vulnerability: Apple Intelligence Prompt Injection via "Neural Exec"
## CVE Details
- **CVE ID**: Not specified in the article (Discovery disclosed to Apple on Oct 15, 2025).
- **CVSS Score**: N/A (Projected High: potential for data manipulation and trust elevation).
- **CWE**: CWE-116: Improper Encoding or Escaping of Output; CWE-1336: Improper Handling of Structural Elements in Input (Prompt Injection).
## Affected Systems
- **Products**: iPhone, iPad, Mac, and Apple Vision Pro integrated with Apple Intelligence.
- **Versions**: Systems running versions prior to iOS 26.4 and macOS 26.4.
- **Configurations**:
- iPhone 15 Pro and later.
- iPads and Macs with M1 chips or later.
- iPads with A17 Pro.
- Any device utilizing Apple's on-device Local Language Model (LLM).
## Vulnerability Description
Researchers at RSAC developed a multi-stage prompt injection attack that bypasses Apple’s input/output filters and on-device model guardrails. The attack utilizes two primary components:
1. **Neural Exec**: An optimization algorithm used to mechanically generate "execution triggers"—specific strings designed to force the LLM to ignore system instructions and execute attacker-controlled logic.
2. **Unicode Right-to-Left (RTL) Override**: To bypass safety filters that scan for "toxic" output, attackers encoded malicious strings backwards. By inserting the Unicode RTL override character, the LLM renders the text in its intended (harmful) order on the display, effectively "blinding" the security filters while still delivering the payload to the user interface.
## Exploitation
- **Status**: PoC available (Demonstrated by RSAC researchers).
- **Complexity**: Low (The "Neural Exec" algorithm automates the injection process).
- **Attack Vector**: Network/Local (Indirect prompt injection via emails, messages, or web content processed by Apple Intelligence).
## Impact
- **Confidentiality**: Medium (Potential to manipulate how data is displayed or processed).
- **Integrity**: High (Researchers demonstrated the ability to create unauthorized contacts, posing as trusted entities like "Mom" to facilitate phishing).
- **Availability**: Low (Primary impact is on model behavior and trust).
## Remediation
### Patches
- **iOS 26.4**: Released to address the specific "Neural Exec" and Unicode bypass techniques.
- **macOS 26.4**: Released to mitigate the vulnerability on Mac hardware.
### Workarounds
- Users on older versions should exercise caution when using Apple Intelligence features (e.g., Siri, Mail Summaries) to process untrusted or unsolicited third-party content.
## Detection
- **Indicators of Compromise**: Presence of unexpected Unicode RTL override characters (U+202E) in incoming messages or data summaries.
- **Detection Methods**: Monitoring for automated, high-entropy strings within prompts that appear to be machine-generated (consistent with the Neural Exec optimization algorithm).
## References
- RSAC Research Paper - [ hxxps[:]//arxiv[.]org/pdf/2403.03792 ]
- The Register Article - [ hxxps[:]//www[.]theregister[.]com/2026/04/09/apple_intelligence_prompt_injection/ ]