0-day/0-click RCE exploit for sale on iOS. Explore the cyberweapons market for espionage.

Redazione RHC : 1 August 2025 21:22

An online forum posting dated July 26, 2025, caught our attention: a user named “Bucad” advertised the sale of an iOS RCE Exploit 0day | ZeroClick/1Click. The exploit, apparently capable of completely compromising an iOS 18.5 device, including rooting, without any visible crashes or significant user interaction, and with persistence capabilities, represents a potential threat of significant proportions.

While the veracity of such claims remains unclear in contexts like these, the announcement raises crucial questions about the functioning and implications of the zero-day exploit and spyware market that we want to reiterate.

What is a 0-day RCE Exploit?

A 0-day RCE (Remote Code Execution) Exploit is a critical software vulnerability that allows an attacker to execute arbitrary code on a remote system (RCE) without the software vendor (in this case, Apple) knowing about it or having had time to release a patch (0-day).

CALL FOR SPONSOR - Sponsorizza l'ottavo episodio della serie Betti-RHC

Sei un'azienda innovativa, che crede nella diffusione di concetti attraverso metodi "non convenzionali"?
Conosci il nostro corso sul cybersecurity awareness a fumetti?
Red Hot Cyber sta ricercando un nuovo sponsor per una nuova puntata del fumetto Betti-RHC mentre il team è impegnato a realizzare 3 nuovi episodi che ci sono stati commissionati.
Contattaci tramite WhatsApp al numero 375 593 1011 per richiedere ulteriori informazioni oppure alla casella di posta [email protected]

Supporta RHC attraverso:

Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì.

The key characteristics of a 0-day RCE, such as those described in the announcement, make it extremely dangerous:

ZeroClick / 1Click: Indicates that the attack requires no or minimal user interaction. A “ZeroClick” attack can compromise a device simply by sending a message or an unanswered call, making it nearly impossible for the victim to detect. A “1Click” requires a single action, such as opening a link.
Full root compromise: This means the attacker gains full control over the system, allowing them to access all data, install software, change settings, and monitor user activity.
Stealth (No user, no crash): The exploit operates invisibly, without generating error messages or unusual behavior that could alert the user.
Extensibility and Persistence: Ability to maintain access to the device even after reboots, facilitating long-term espionage.

In this specific case, an exploit of this level on an operating system like iOS would be extremely valuable. If the claims are true, a similar bug, affecting the latest version of iOS (18.5) and supporting future updates, could be worth millions of euros on the black market, reflecting its rarity and enormous exploitation potential.

What Is an Exploit of This Caliber Used For?

A zero-day RCE exploit, especially for popular platforms like iOS, can be used for a variety of purposes, most of which are illicit or ethically questionable:

Government espionage: States and intelligence agencies use it to monitor dissidents, journalists, activists, foreign government officials, or high-value targets.
Cybercrime: Criminal groups could use it to steal sensitive data, banking credentials, install ransomware, or conduct large-scale fraud.
Industrial espionage: Companies or states can use it to steal trade secrets or strategic information from competitors.
Sabotage: In extreme scenarios, complete control of the device could even allow malicious actions. of sabotage or disinformation.

The Zero-Day Broker Market

There is a market, largely underground and highly specialized, where zero-day exploits are bought and resold, including at private auctions. Major players include:

Independent Security Researchers: Some cybersecurity experts, after discovering a vulnerability, decide to sell it to the highest bidder rather than disclose it to the vendor (a process known as “responsible disclosure”).
Vulnerability Brokers: These are intermediaries that act as a “marketplace” for zero-day vulnerabilities. Companies such as Zerodium, Exodus Intelligence, and Crowdfense are among the best known. They offer large sums of money for verified exploits, especially those that target popular operating systems and applications, such as iOS, Android, or web browsers. The sums can reach exorbitant figures, up to several million dollars for “full chain” exploits (combining multiple vulnerabilities to gain complete control without user interaction).
Governments and Intelligence Agencies: They are among the main buyers, willing to pay astronomical sums to acquire unique offensive capabilities.
Spyware Vendors: Companies that develop and sell advanced espionage software, which use these valuable zero-days to infect victims’ smartphones and achieve complete compromise and therefore surveillance.

The Spyware Market and Its Controversies (Pegasus, Paragon, etc.)

The zero-day market is closely linked to the commercial spyware industry, which often uses these exploits to operate. Companies such as NSO Group (with its infamous Pegasus spyware), Candiru, Paragon, Gamma Group (with FinFisher), and others develop sophisticated surveillance software that can intercept calls, read messages, access the microphone and camera, track location, and steal data from a target device.

This spyware is sold to governments and law enforcement agencies under the justification of fighting terrorism, organized crime, and pedophilia. However, its use has become the subject of heated debate and bitter controversy for several reasons:

Human Rights Abuses: Numerous journalistic investigations (such as the “Pegasus Project”) and reports by human rights organizations have documented the use of this spyware to spy on journalists, lawyers, human rights activists, political opponents, and even heads of state. This raises serious concerns about violations of privacy, freedom of expression, and the right to a fair trial.
Lack of Transparency and Accountability: Spyware companies often operate with little transparency, claiming to sell only to “legitimate” governments and to have “kill switches” to prevent abuse. However, cases of abuse continue to emerge, and oversight and accountability mechanisms appear insufficient.
Risk of Diffusion: Once spyware powered by a zero-day is deployed, the underlying exploit can be discovered and potentially reused by other malicious actors, as happened with the NSA’s EternalBlue, which was later used for WannaCry and NotPetya.
Impact on Digital Trust: The existence of such powerful tools and their misuse undermine trust in digital technologies and the security of online communications.

Conclusion

The international community is divided on how to address this market. Some advocate for a complete ban on the sale of spyware to non-state entities and for more stringent global regulation. Others emphasize the need for such tools for national security and the fight against real threats, while acknowledging the problem of abuse.

In conclusion, the announcement of a zero-day exploit for iOS, while its authenticity remains to be verified, reminds us of the ongoing threat posed by software vulnerabilities and the existence of a highly sophisticated underground market. This ecosystem, fueled by brokers and spyware companies, poses global ethical and security challenges that require ever-increasing attention and regulation to protect individuals’ rights and privacy in the digital age.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli