Likelihood: LOW
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Low
Likelihood is low because CVE-2026-28819 is unconfirmed in NVD, CISA KEV, and Apple's official advisories, exploitation has not been observed, and physical adjacency (Wi-Fi range) limits attacker reach to local network segments; impact is rated very_high because if confirmed, zero-interaction kernel-level RCE on Apple devices would grant the highest privilege level to any adjacent attacker, directly threatening executive communications, legal and financial data, and privileged credentials with no user action required to trigger compromise.
Treatment rationale: The combination of kernel-level severity and zero-interaction exploitation pathway — even at low confirmed likelihood — makes acceptance untenable for organizations with Apple devices on shared or public Wi-Fi, and the threat is too proximate to business operations to avoid or solely transfer; interim mitigations (network segmentation, enterprise Wi-Fi controls, device posture monitoring) can materially reduce exposure while confirmation and patching timelines mature.
Third-Party / Supply-Chain Risk
Organizations relying on managed device programs (MDM/UEM vendors, Apple Business Manager, corporate-issued Apple hardware through third-party device management providers) face downstream exposure if a patch is issued and MDM pipeline latency delays deployment — devices remain exposed during the update propagation window. Additionally, organizations using shared conference room or guest Wi-Fi infrastructure operated by co-working providers, hotels, or building management introduce uncontrolled adjacency risk that is outside first-party network controls (NIST SP 800-161 Tier 2/3 shared-service dependency).
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per incident for an organization with meaningful Apple device penetration among privileged users, reflecting potential for credential theft, data exfiltration, and incident response costs; upper end applies if an executive or privileged-access device is compromised with lateral movement achieved
Frequency: At current unconfirmed status with no observed exploitation: illustrative 1–5% annual probability for a mid-to-large enterprise with employees regularly on shared or public Wi-Fi and high Apple device density; frequency rises materially if exploit code becomes publicly available post-confirmation
Annualized: Illustrative ALE: approximately $25K–$250K annualized at current unconfirmed/no-exploit status; this range widens significantly if CVE is confirmed and exploit is published, at which point the frequency assumption requires reassessment
Basis: Loss magnitude derived from scope of kernel-level RCE impact — full device compromise, privileged credential exposure, potential lateral movement — weighted against typical enterprise IR costs and data-exposure consequences for organizations with executives and finance/legal staff on affected devices. Frequency derived from current exploitation status (none confirmed), physical adjacency constraint (attacker must be Wi-Fi adjacent), and base rate of opportunistic targeting of high-value mobile devices in enterprise environments. No third-party loss database figures cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If confirmed exploitation results in unauthorized access to PII, PHI, or regulated data, incident may invoke state and federal breach-notification obligations — verify with counsel before determining notification posture.
• Kernel-level device compromise affecting executive or privileged-user devices may constitute a reportable security event under cyber-insurance policy terms — verify notice obligations and timing with broker before incident escalates.
• Organizations subject to HIPAA, PCI-DSS, SOX, or similar frameworks should assess whether a confirmed exploitation event on a covered device triggers regulatory disclosure or audit obligations — verify with counsel.