A previously unknown zero-click vulnerability in Apple’s iMessage appears to have been exploited by sophisticated threat actors targeting high-profile individuals across the United States and the European Union.

The vulnerability, dubbed “NICKNAME,” affected iOS versions up to 18.1.1 and was silently patched by Apple in iOS 18.3.

The discovery, made by cybersecurity firm iVerify, reveals how attackers could compromise iPhones without any user interaction by exploiting a flaw in iMessage’s contact profile update feature.

The vulnerability is particularly concerning because it requires only the target’s phone number or Apple ID to execute an attack.

Sophisticated iMessage 0-Click Exploit

The NICKNAME vulnerability exploits a race condition in the “imagent” process, which handles all iMessage traffic on iOS devices. When users update their contact profiles, including nickname, photo, or wallpaper, the system generates “Nickname Updates” that are processed by recipients’ devices.

The technical flaw centers on how the imagent processing handles data associated with these updates. Before Apple’s fix, the system used mutable data containers (NSMutableDictionary objects) that could be modified while being accessed by other processes simultaneously.

This created a classic race condition where one thread might read Nickname Update details while another thread simultaneously modified the same data container.

This memory corruption can trigger a Use-After-Free (UAF) vulnerability, causing the imagent process to crash. However, sophisticated attackers could potentially leverage this corruption as a primitive for achieving code execution on targeted devices.

Between April 2024 and January 2025, iVerify analyzed crash data from nearly 50,000 devices and found that imagent crashes related to Nickname Updates were extraordinarily rare, comprising less than 0.001% of all crash logs collected.

Crashed data

What made these crashes particularly suspicious was their exclusive appearance on devices belonging to individuals likely to be targeted by advanced persistent threat actors.

The affected devices belonged to political campaign staff, journalists, tech executives, and government officials in the EU and the US.

Most notably, researchers observed these crashes on at least one device belonging to a senior European Union government official approximately thirty days before they received an Apple Threat Notification.

Forensic examination of affected devices revealed suspicious activity consistent with known spyware cleanup procedures. On at least one device, directories related to SMS attachments and message metadata were modified and emptied just 20 seconds after the imagent crash occurred behavior that mirrors techniques observed in confirmed commercial spyware attacks.

Apple addressed the vulnerability in iOS 18.3 by implementing a more secure approach to handling Nickname Updates. The fix involves using immutable copies of dictionaries when broadcasting nickname updates, effectively preventing the race condition that enabled exploitation.

The imagent process has been a frequent target for sophisticated attackers, having been exploited in previous high-profile campaigns including FORCEDENTRY and BLASTPASS operations.

Despite Apple’s implementation of BlastDoor sandboxing in iOS 14 to protect against such attacks, determined threat actors continue finding narrow vectors through Apple’s defenses.

Security experts recommend all iPhone users immediately update to the latest iOS version, with high-risk individuals particularly advised to enable Apple’s Lockdown Mode for additional protection against sophisticated zero-click attacks.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar