Citizen Lab has recently released a report discussing two vulnerabilities, namely CVE-2023-41064 and CVE-2023-41061, collectively referred to as BLASTPASS. These vulnerabilities have the capability to infiltrate iPhones through text messages sent via iMessage, without the need for the victim to interact with anything. Citizen Lab has pointed out that this vulnerability is being exploited by NSO Group to deliver malware.
The exploit methods employed by NSO Group have been notoriously sophisticated and likely require significant development resources. At this time, specific details about the vulnerabilities have not been disclosed by Citizen Lab or Apple. However, it has been revealed that the initial vulnerability lies within the ImageIO image processing framework, after which the exploit proceeds to execute code within the Wallet.
Apple has swiftly addressed all identified vulnerabilities with the release of iOS 16.6.1 and iPadOS 16.6.1.
TLDR: Citizen Lab has exposed two vulnerabilities, called BLASTPASS, which allow for the compromise of iPhones through iMessage. Exploited by NSO Group, these vulnerabilities have been patched by Apple in their latest iOS and iPadOS releases.