Apple has acknowledged the bug and says it will be fixed with the next iOS software update.
ZecOps wrote on its website how the vulnerability, which has existed since iOS 6 of 2012 and is likely present on hundreds of millions of iPhones and iPads the world over, could allow attackers access to a victim's phone without physical contact.
The bug is exploited by attackers sending an email that, although small in size, is composed in such a way that it consumes a large amount of the iOS device's RAM. If it uses up enough RAM, the Mail app will crash, forcing the device to reboot.
This crash and reboot then gives attackers access to email inboxes and other areas of the iPhone or iPad, including photos and contact details.
The bug also affects the iPad
Unlike most other cyberattacks, the vulnerability does not require the target to download an email attachment, or click on a link. Merely opening the email - or even by having the Mail app running in the background on devices running iOS 13 - is enough for the attack to take place.
ZecOps says it believes the bug has been exploited since at least January 2018, but that the vulnerability has been present since at least iOS 6, which was released with the iPhone 5 back in September 2012.
More than theoretical, ZecOps says the bug has been exploited to target at least six people. These include an individual from a Fortune 500 company in North America, an executive from a carrier in Japan, a VIP from Germany and a journalist in Europe.
The company said: "We are aware of multiple triggers in the wild that happened starting from Jan 2018, on iOS 11.2.2. It is likely that the same threat operators are actively abusing these vulnerabilities presently. It is possible that the attacker(s) were using this vulnerability even earlier. We have seen similarities between some of the suspected victims during triggers to these vulnerabilities."