On May 13, 2024, Apple released 11 security advisories in a single day, pushing patches for dozens of vulnerabilities across iOS, iPadOS, macOS, Safari, watchOS, tvOS, and visionOS. At least one of those flaws, a memory corruption bug buried deep in Apple silicon firmware, carried a warning that it may have already been exploited in the wild. The episode remains one of the most instructive examples of how Apple handles coordinated, large-scale security responses, and why users who delay updates are gambling with real consequences.
What Apple patched on May 13, 2024
The scope of the release was unusually broad. Apple shipped fixes for iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, macOS Ventura 13.6.7, macOS Monterey 12.7.5, Safari 17.5, watchOS 10.5, tvOS 17.5, iOS 16.7.8, iPadOS 16.7.8, and visionOS 1.2. The full list of advisories is available on Apple’s security releases page. The following day, the Cybersecurity and Infrastructure Security Agency (CISA) issued a routine alert encouraging users and administrators to review Apple’s advisories and apply patches promptly.
Bundling this many fixes into a single patch day signaled that Apple treated the underlying risks as serious enough to warrant simultaneous action across its entire ecosystem. When a company ships fixes for phones, tablets, laptops, desktops, watches, streaming boxes, and a spatial computing headset on the same date, it typically means the affected code paths are shared or that the threat environment demanded speed over a phased rollout.
The RTKit flaw that had already been exploited
Among the patched issues, one stood out for its severity and real-world relevance. CVE-2024-23296 is a memory corruption vulnerability in RTKit, a real-time operating system component embedded in Apple silicon that manages low-level hardware tasks such as sensor management and power control. RTKit runs beneath the main operating system on many Apple chips, meaning a flaw at that depth can give an attacker a foothold that is difficult to detect or remove through ordinary software tools.
Apple had initially addressed CVE-2024-23296 in iOS 17.4 and iPadOS 17.4 back in March 2024. The May 13 release extended that fix to older OS versions, including iOS 16.7.8 and macOS Monterey 12.7.5, closing the gap for users who had not yet upgraded to the latest major release.
Apple’s advisory language was telling. According to the National Vulnerability Database record maintained by the National Institute of Standards and Technology, the company stated it was “aware of a report that this issue may have been exploited.” Apple rarely uses that phrasing unless credible evidence of active exploitation exists. The wording stops short of confirming widespread attacks, but security professionals treat it as a confirmed threat rather than a theoretical one.
Memory corruption bugs in firmware-level components like RTKit are especially dangerous because they can allow an attacker to execute arbitrary code with elevated privileges. In practice, a successful exploit could bypass app sandboxing, access data that should be off-limits, or persist through a standard reboot. Patching this class of vulnerability requires a full OS-level update, not just an app store download, which is why Apple rolled the fix into the broader system updates.
Who was targeted and what remains unclear
Neither Apple nor CISA disclosed who was targeted by the exploitation of CVE-2024-23296, how many devices were affected, or whether the attacks were limited to a narrow set of high-value targets. Historically, Apple firmware exploits at this level have been associated with highly targeted surveillance operations rather than mass attacks. Whether that pattern applied here was never publicly confirmed.
Apple does not publish real-time adoption rates for individual security updates, so there is no reliable data on how quickly users patched after May 13, 2024. That gap matters because the window between a patch release and widespread adoption is precisely when attackers escalate their efforts, knowing that exploit details often become more widely known after a fix ships.
CISA’s role and the Known Exploited Vulnerabilities catalog
CISA’s May 14 alert was a standard notification that Apple had released security updates for multiple products. The agency encouraged users and administrators to review the advisories and apply patches. This type of notice is part of CISA’s routine practice of flagging vendor security releases rather than an emergency directive or an elevated warning.
Separately, CISA added CVE-2024-23296 to its Known Exploited Vulnerabilities (KEV) catalog, which federal agencies use to prioritize patching. Inclusion in the KEV catalog is reserved for vulnerabilities with confirmed exploitation and carries binding remediation deadlines for federal civilian networks. That designation remains active and serves as a lasting marker of the flaw’s severity.
Why this still matters for device security today
The May 2024 patch cycle set a pattern that Apple has continued to follow. Coordinated, multi-platform security drops have become more frequent, and the company has grown more willing to acknowledge active exploitation in its advisories. For anyone still running a device on software older than the versions released that day, the vulnerabilities remain unpatched and the risk is not hypothetical.
For organizations still managing mixed fleets of Apple hardware, the lesson from May 2024 is concrete: devices that cannot receive current updates represent a persistent, unresolvable security gap. Enterprise IT teams that have not already retired hardware stuck on macOS Monterey or iOS 16 should treat those endpoints as high-risk, particularly in environments handling government, legal, or medical data.
How to verify your device is protected
On an iPhone or iPad, open Settings > General > Software Update. Any device running iOS 17.5 or later (or iOS 16.7.8 for older models) includes the May 2024 fixes. On a Mac, navigate to System Settings > General > Software Update. The minimum safe versions from this patch cycle are macOS Sonoma 14.5, macOS Ventura 13.6.7, and macOS Monterey 12.7.5.
Safari on macOS can receive independent updates; users should confirm they are running Safari 17.5 or later. Apple Watch and Apple TV users can check through their respective companion apps or device settings.
Devices too old to receive any of these updates cannot be patched against CVE-2024-23296 or the other flaws addressed on May 13, 2024. Using those devices for sensitive tasks like banking, accessing medical records, or handling confidential work files carries risk that no behavioral precaution can fully offset. When a vulnerability sits in the silicon firmware itself, the only real fix is the one Apple ships, and if your hardware is off the support list, that fix will never arrive.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
