San Francisco-based ZecOps discovered two "exploitable vulnerabilities" in Apple's mail app and alerted the company, which released a beta update this month. The company confirmed that a full update is forthcoming to fix the bug.
The vulnerability can be exploited when a specially crafted email is opened on the mail app by an iPhone or an iPad, said Zuk Avraham, the founder and chief executive officer of ZecOps.
ZecOps has "high confidence" that the flaws may have been used in attacks conducted by "an advanced threat operator," according to a Wednesday report by the company.
Among the victims were "individuals from a Fortune 500 organization in North America" and "an executive from a carrier in Japan," as well as "a journalist in Europe," the report said.
The vulnerabilities may have been exploited by attackers since January 2018, according to ZecOps.
The bugs were disclosed publicly when Apple issued the beta update, and attackers "will likely use the time until a patch is available to attack as many devices as possible," ZecOps predicted in the report.
Users can protect themselves by applying the beta patch, or avoiding the mail app and temporarily switching to alternatives that aren't vulnerable to the bugs, ZecOps said in the report.