Apple has released fixes for three vulnerabilities in iOS, iPadOS and tvOS that may have already been exploited by hackers in real attacks. Apple does not specify the nature of the attacks, their scale and who is the organizer.
All three vulnerabilities (CVE-2021-1782, CVE-2021-1870 and CVE-2021-1871) were discovered by an anonymous security researcher and fixed in iOS 14.4 and iPadOS 14.4 for iPhone 6s and newer, iPad Air 2 and newer , iPad mini 4 and later, and iPod touch 7th generation. Patches have also been released for Apple TV 4K and Apple TV HD.
CVE-2021-1782: Kernel race condition vulnerability. With its help, the application can increase its privileges on the system.
CVE-2021-1870 and CVE-2021-1871: Logical errors in the WebKit browser engine. Their successful exploitation allows remote code execution.
It is possible that attackers exploit these vulnerabilities in a bundle to carry out watering hole attacks. Such attacks involve infecting the victim's device with malware through compromised sites. Using the above vulnerabilities, the malware can escalate its privileges and execute arbitrary commands to gain control over the device.