PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7577 Apple CVE debrief

CVE-2016-7577 is an Apple FaceTime vulnerability affecting older iOS and macOS releases. The supplied record says remote attackers could trigger memory corruption and obtain audio data from a call that appeared to have ended. NVD rates it low severity, but the privacy impact is meaningful for organizations that rely on FaceTime for sensitive conversations or still operate legacy Apple devices.

Vendor
Apple
Product
CVE-2016-7577
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Apple device administrators, MDM operators, privacy-sensitive organizations, and users who still run affected iOS or macOS versions should care most. Any environment that handles confidential voice communications should prioritize remediation on exposed legacy systems.

Technical summary

The issue is in Apple’s FaceTime component. According to the supplied description, a remote attacker could trigger memory corruption and may obtain audio data from a call that appeared to have ended. NVD classifies the weakness as CWE-200 and assigns CVSS 3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network reachability, no privileges, no user interaction, and limited confidentiality impact. The record’s narrative says iOS before 10.1 and macOS before 10.12.1 are affected; the supplied NVD CPE criteria enumerate iOS through 10.0.3 and macOS through 10.12.0.

Defensive priority

Moderate for any fleet that still includes affected or legacy Apple systems; lower for fully updated environments. Because the issue can expose audio from a call and the affected components are user-facing communication tools, patching should be prioritized wherever sensitive communications occur.

Recommended defensive actions

  • Update affected iOS devices to 10.1 or later and affected macOS systems to 10.12.1 or later, using the vendor advisories supplied in the record.
  • Inventory any legacy Apple endpoints and confirm they are not running versions at or below the affected ranges listed in the record.
  • Treat FaceTime or audio-privacy anomalies on legacy devices as a signal to validate patch status and device integrity.
  • Use the linked Apple advisories and NVD record to confirm applicable remediation guidance for your specific device set.

Evidence notes

This debrief is based on the supplied NVD record and its referenced Apple advisories. The record states that iOS before 10.1 and macOS before 10.12.1 are affected, while the NVD CPE criteria in the same corpus list iOS through 10.0.3 and macOS through 10.12.0. NVD classifies the issue as CVSS 3.0 3.7 (LOW) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N and CWE-200. The enrichment data indicates the issue is not in CISA KEV.

Official resources

Publicly disclosed in the supplied record on 2017-02-20T08:59:01.400Z. The record was later modified on 2026-05-13T00:24:29.033Z. No CISA KEV listing is present in the supplied data.