minute read Share this article: A format-string bug believed to be a low-risk denial-of-service issue turns out to be much nastier than expected. A vulnerability in Apple iOS opens the door to remote code execution (RCE), researchers found. The assessment is a revision from a previous understanding of the flaw that viewed it as a low-risk (and somewhat wacky) denial-of-service (DoS) problem affecting iPhone’s Wi-Fi feature. Apple fixed the original DoS issue with iOS 14.6, without issuing a CVE. But when ZecOps analyzed the bug, researchers found that it could be used for RCE without little interaction with the victim – and that the attack worked on fully patched iPhones.