Cyber-security researchers at ZecOps have discovered a critical bug in the default Mail application in iOS dating as far back as Jan 2018. The vulnerability is apparently being actively exploited by hackers to target enterprise users, VIPs and cyber-security service providers, at least over the past couple of years. Apple has patched the flaw in the beta for iOS 13.4.5 after being contacted by ZecOps, but the fix is still unavailable in the stable build, which means it is yet to be rolled out to most users.

According to an official blog post, the vulnerability, which affects both iPhones and iPads, allows remote code execution and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory by using RTF, multi-part, and other methods. On iOS 13, the exploit can be triggered even without a click (zero-click) when the Mail application is opened in the background. As long as a patch isn’t widely available, the researchers are advising users to disable Mail to prevent an attack.

The vulnerabilities exist at least since iOS 6, which was released with iPhone 5 back in 2012. However, the earliest attacks are believed to have taken place on iOS 11.2.2 in January 2018. All tested iOS versions, including version 13.4.1, are vulnerable to the exploits. While ZecOps did not attribute any of the attacks to a specific threat actor, the researchers say that they have come across at least one ‘hackers-for-hire’ organization that is selling exploits using vulnerabilities that leverage email addresses as a main identifier.

According to the researchers, the vulnerability affects both iPads and iPhones, and has already impacted at least six organizations and their staff. Victims include employees of a Fortune 500 company in North America, an executive from a carrier in Japan, a VIP in Germany, cyber-security firms in Saudi Arabia and Israel, and a journalist in Europe. An executive in a Swiss company is also believed to have been the target of the hack.