{
	"id": "ce6cf479-2c7f-4260-b3e8-58e1f515244d",
	"created_at": "2026-04-06T00:19:39.975777Z",
	"updated_at": "2026-04-10T13:12:01.256251Z",
	"deleted_at": null,
	"sha1_hash": "4fb1665911b21522ae15f73d34de472f8cedc6e3",
	"title": "Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 782222,
	"plain_text": "Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By\r\nPegasus\r\nBy By: Mickey Jin Sep 15, 2021 Read time: 4 min (1035 words)\r\nPublished: 2021-09-15 · Archived: 2026-04-05 18:40:01 UTC\r\nExploits \u0026 Vulnerabilities\r\nCitizen Lab has released a report on a new iPhone threat dubbed ForcedEntry. This zero-click exploit seems to be\r\nable to circumvent Apple's BlastDoor security, and allow attackers access to a device without user interaction.\r\nCitizen Lab has released a reportopen on a new tab detailing sophisticated iPhone exploits being used against nine\r\nBahraini activists. The activists were reportedly hacked with the NSO Group’s Pegasus spyware using two zero-click iMessage exploits: Kismetopen on a new tab, which was identified in 2020; and ForcedEntryopen on a new\r\ntab, a new vulnerability that  was identified in 2021. Zero-click attacks are labeled as sophisticated threats because\r\nunlike typical malware, they do not require user interaction to infect a device. The latter zero-click spyware is\r\nparticularly notable because it can bypass security protections such as BlastDoor, which was designed by Apple to\r\nprotect users against zero-click intrusions such as these. \r\nAccording to Citizen Lab’s report, Kismet was used from July to September 2020 and was launched against\r\ndevices running at least iOS 13.5.1 and 13.7. It was likely not effective against the iOS 14 update in September.\r\nThen, in February 2021, the NSO Group started deploying the zero-click exploit that managed to circumvent\r\nBlastDoor, which Citizen Lab calls ForcedEntry. Amnesty Tech, a global collective of digital rights advocates and\r\nsecurity researchers, also observed zero-click iMessage exploit activity during this period and referred to it as\r\nMegalodonopen on a new tab. \r\nDiving into ForcedEntry\r\nAccording to the report from Citizen Lab, when the ForcedEntry exploit was launched against the victim’s device,\r\nthe device logs showed two types of crashes. The first crash apparently happened when invoking ImageIO’s\r\nfunctionality for rendering Adobe Photoshop PSD data. \r\nOur analysis focuses on the second crash, which is detailed in Figure 1. This crash happened when invoking\r\nCoreGraphics’ functionality for decoding JBIG2-encoded data in a PDF file. This analysis is solely based on\r\nsamples from Citizen Lab; no new samples were obtained. \r\nhttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nPage 1 of 7\n\nFigure 1. This image from Citizen Lab shows a Symbolicated Type Two crash for ForcedEntry on\r\nan iPhone 12 Pro Max running iOS 14.6. The red highlights from Trend Micro Research.\r\nFrom this crash log, we can deduce three interesting points: First, the zero-click attack is dependent on iMessage\r\nattachment parsing. Next, the slide of dyld_shared_cache is 0, which means all the system modules are loaded into\r\na fixed address. Lastly, the crash point 0x181d6e228 is not the first place of vulnerability exploitation. We discuss\r\nthe details of these conclusions in the following sections.\r\nRoot cause of CVE-2021-30860\r\nThe vulnerability is inside the function JBIG2Stream::readTextRegionSeg of CoreGraphics.framework  The\r\ncrash point 0x181d6e228 (as seen in box 3  in the preceding figure) is at line 161 of the function\r\nJBIG2Stream::readTextRegionSeg of the following screenshot:\r\nhttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nPage 2 of 7\n\nFigure 2. Screenshot of the function JBIG2Stream::readTextRegionSeg showing the crash point\r\nFirst, it calculates the numSyms according to the JBIG2SymbolDict segment:\r\nhttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nPage 3 of 7\n\nThe type of numSyms is unsigned int, and the return type of function seg-\u003egetSize() is also unsigned\r\nint. Therefore, numSyms could be smaller than the size of one JBIG2Segment due to integer overflow. One\r\nexample is numSyms=1=(0x80000000+0x80000001) \u003c 0x80000000.\r\nThen, it allocates the heap buffer syms, with the size numSyms * 8 :\r\nFinally, it fills the syms with the value from bitmap:\r\nThe loop times are dependent on the JBIG2Segment size, which could be larger than the buffer syms size. This\r\nleads to the out-of-bounds write access for the heap buffer syms.\r\nLooking at Apple’s fix\r\nApple patched the function in iOS 14.8:\r\nhttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nPage 4 of 7\n\nFigure 3. Screenshot of the same function JBIG2Stream::readTextRegionSeg with fixes in place\r\nWe can see that Apple adds two new boundary checks (the red box in Figure 3), to avoid overflowing the syms\r\nbuffer.\r\nOn the Pegasus spyware exploitation\r\nDisabling ASLR\r\nThe dyld_shared_cache of version iOS 14.6 (18F72) was loaded into IDA Pro for static analysis, after which a\r\nsurprising result emerged. We were able to go to the addresses on the call stack directly without rebasing the\r\nsegment.\r\nAs deduced from the screenshot in Figure 1 (see box 2), the slide of dyld_shared_cache is 0. However, in common\r\ncrash scenarios, these addresses should be in slide.\r\nIf the screenshot of the original crash log has not been modified, then the conclusion is worrying. It should be\r\nnoted that Pegasus already disabled Address Space Layout Randomization (ASLR) before its exploitation.\r\nBypassing PAC\r\nBy inspecting the address 0x181d6e20c from Frame 1 of the call stack trace, we can see that register x0, the return\r\nvalue of function JBIG2Stream::findSegment, is a subclass of JBIG2Segment:\r\nhttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nPage 5 of 7\n\nThere are four kinds of subclasses that override the getType() virtual function, but the following code shows that\r\nthey just return one of the enumerate values:\r\nFor example, JBIG2SymbolDict::getType just returns jbig2SegSymbolDict=1:\r\nTherefore, the frame 1 should have called the virtual function seg-\u003egetType(). But in actuality, it was already\r\nsubverted to the current function itself (frame 0). \r\nThis shows that the virtual functions table of the object JBIG2Segment had already been replaced, and the\r\npointer authentication code (PAC) security feature was bypassed. This is significant because the PAC security\r\nmechanism was developed to help prevent zero-click hackingopen on a new tab. This also shows that the crash\r\npoint is not the first place of the vulnerability exploitation. \r\nConclusion and recommendations\r\nFrom the view of attack technologies used, we can see that Pegasus is quite an advanced threat for iOS users.\r\nHowever, it seems that these attacks are being launched on very specific targets, rather than common users.\r\nhttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nPage 6 of 7\n\nThe information from the recent Pegasus attack is from the forensic analysis of Citizen Lab and Amnesty Tech,\r\nand we have not found Pegasus attack samples that are at large yet. We are actively searching and monitoring for\r\nthese threats and will continue to share more details as our investigation continues.\r\nEssentially, this attack is a very common file format parsing vulnerability. We previously discovered CVE-2020-\r\n9883open on a new tab, a vulnerability similar to ForcedEntry, which could be exploited to do the same as what\r\nPegasus has done here. ForcedEntry’s key point is the exploit technology as it is still unknown how it is able to\r\nbypass the PAC and disable ASLR.\r\nIn the meantime, we strongly recommend updating your device to iOS 14.8open on a new tab. As stated\r\npreviously, common iOS users are not the target for attacks using this spyware. However, there are simple security\r\nsteps that users can take. For example, concerned users can block iMessages from unknown senders, while a more\r\ndrastic step would be to disable the iMessage function completely in the device’s Preferences.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nhttps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html"
	],
	"report_names": [
		"analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434779,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4fb1665911b21522ae15f73d34de472f8cedc6e3.pdf",
		"text": "https://archive.orkl.eu/4fb1665911b21522ae15f73d34de472f8cedc6e3.txt",
		"img": "https://archive.orkl.eu/4fb1665911b21522ae15f73d34de472f8cedc6e3.jpg"
	}
}