Security researchers published two RSAC blog posts detailing a prompt‑injection chain that slipped past Apple’s on‑device language model via the Apple Intelligence API. By reversing a malicious string and hiding it with a Unicode right‑to‑left override, they fooled the input filter, then wrapped the payload in a Neural Exec sequence to override the model’s instructions across iPhone and Mac platforms. Apple has since patched the flaw.

The team evaluated the exploit with three prompt pools—system tasks, crafted harmful strings, and benign Wikipedia excerpts—randomly mixing them into 100 trials. The combined attack succeeded in 76% of cases, convincing the model to emit offensive output and demonstrating the attack’s versatility across consumer and enterprise scenarios. Apple received the disclosure in October 2025 and released fortified defenses in iOS 26.4 and macOS 26.4.

The breach exposed a blind spot in Apple Intelligence’s safety pipeline, showing that clever Unicode tricks can bypass both input and output filters. For developers relying on on‑device LLMs, the episode underscores the need for deeper inspection beyond surface‑level sanitization, affecting end users and the broader AI community. Apple’s swift patch demonstrates its commitment to securing the emerging AI stack.