Apple’s default iOS mail app has a serious security flaw that makes it vulnerable to hackers, San Francisco-based cybersecurity startup ZecOps said in a report published Wednesday. A “zero-click” attack can infect iOS devices by downloading a malicious email, without the user opening up the message.

"The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory," the report said. "The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device."

The cybersecurity firm said the vulnerability was "widely exploited in the wild,” meaning criminals have been frequently using the flaw to attack iOS devices.

Apple has issued a patch for the vulnerability in the iOS 13.4.5 beta, with a software update coming soon. ZecOps said six high-profile figures have been attacked using the vulnerability including "individuals from a Fortune 500 organization in North America" and “an executive from a carrier in Japan.” 

Apple iPhone users have been exposed to attacks before. Security researchers on Google’s Project Zero team said in August that they found flaws on Apple phones that would allow malicious websites to compromise personal files, messages and other data. 

In May, iOS users were found susceptible to a vulnerability on Whatsapp that would install spyware allegedly created by Israeli cyber surveillance company NSO Group. Users were urged to update to the latest version of Whatsapp after the flaw was exposed.