A newly discovered zero-click vulnerability in Apple’s iMessage has been exploited by advanced threat actors to target high-profile individuals across the United States and the European Union. This vulnerability, identified as NICKNAME, affected iOS versions up to 18.1.1 and was discreetly patched by Apple in iOS 18.3. The cybersecurity firm iVerify uncovered this flaw, revealing that attackers could compromise iPhones without any user interaction by exploiting a weakness in iMessage’s contact profile update feature.
Understanding Zero-Click Exploits
Zero-click exploits are particularly alarming because they do not require any action from the user, such as clicking a link or downloading a file. This means that simply receiving a malicious message can lead to device compromise. The NICKNAME vulnerability exemplifies this threat, as it allows attackers to gain control over a device merely by sending a specially crafted iMessage.
Technical Details of the NICKNAME Vulnerability
The NICKNAME vulnerability exploits a race condition in the imagent process, which manages all iMessage traffic on iOS devices. When users update their contact profiles—including nickname, photo, or wallpaper—the system generates Nickname Updates processed by recipients’ devices. The flaw lies in how the imagent process handles data associated with these updates. Prior to Apple’s fix, the system used mutable data containers (NSMutableDictionary objects) that could be modified while being accessed by other processes simultaneously. This created a classic race condition where one thread might read Nickname Update details while another thread simultaneously modified the same data container.
This memory corruption can trigger a Use-After-Free (UAF) vulnerability, causing the imagent process to crash. Sophisticated attackers could potentially leverage this corruption as a primitive for achieving code execution on targeted devices.
Discovery and Analysis
Between April 2024 and January 2025, iVerify analyzed crash data from nearly 50,000 devices and found that imagent crashes related to Nickname Updates were extraordinarily rare, comprising less than 0.001% of all crash logs collected. These crashes were exclusively observed on devices belonging to individuals likely to be targeted by advanced persistent threat actors, including political campaign staff, journalists, tech executives, and government officials in the EU and the US.
Notably, researchers observed these crashes on at least one device belonging to a senior European Union government official approximately thirty days before they received an Apple Threat Notification. Forensic examination of affected devices revealed suspicious activity consistent with known spyware cleanup procedures. On at least one device, directories related to SMS attachments and message metadata were modified and emptied just 20 seconds after the imagent crash occurred—behavior that mirrors techniques observed in confirmed commercial spyware attacks.
Apple’s Response and Mitigation
Apple addressed the vulnerability in iOS 18.3 by implementing a more secure approach to handling Nickname Updates. The fix involves using immutable copies of dictionaries when broadcasting nickname updates, effectively preventing the race condition that enabled exploitation. The imagent process has been a frequent target for sophisticated attackers, having been exploited in previous high-profile campaigns including FORCEDENTRY and BLASTPASS operations. Despite Apple’s implementation of BlastDoor sandboxing in iOS 14 to protect against such attacks, determined threat actors continue finding narrow vectors through Apple’s defenses.
Recommendations for Users
Security experts recommend all iPhone users immediately update to the latest iOS version to protect against known vulnerabilities. High-risk individuals, such as those in political, journalistic, or executive roles, are particularly advised to enable Apple’s Lockdown Mode for additional protection. Lockdown Mode is designed to reduce the attack surface by limiting certain functionalities that could be exploited by sophisticated attacks.
Broader Implications
The discovery of the NICKNAME vulnerability underscores the evolving nature of cyber threats targeting mobile devices. Zero-click exploits represent a significant challenge for both users and developers, as they can bypass traditional security measures and require no user interaction. This incident highlights the importance of continuous vigilance, prompt software updates, and the implementation of advanced security features to safeguard sensitive information.
Conclusion
The exploitation of the NICKNAME vulnerability in iMessage serves as a stark reminder of the sophistication of modern cyber threats. Users must remain proactive in updating their devices and utilizing available security features to mitigate potential risks. As threat actors continue to develop more advanced techniques, collaboration between cybersecurity researchers and technology companies is essential to identify and address vulnerabilities promptly.
