CVE-2024-54512

Critical

Published: 27 January 2025

Published

27 January 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0017 37.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The issue was addressed by removing the relevant flags. This issue is fixed in iOS 18.2 and iPadOS 18.2, watchOS 11.2. A system binary could be used to fingerprint a user's Apple Account.

Security Summary

CVE-2024-54512 is a vulnerability in Apple operating systems where a system binary could be used to fingerprint a user's Apple Account. The affected components include iOS prior to version 18.2, iPadOS prior to version 18.2, and watchOS prior to version 11.2. This issue is associated with CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

The vulnerability can be exploited remotely by any network attacker requiring no privileges or user interaction. Successful exploitation allows the attacker to fingerprint the victim's Apple Account, potentially enabling user tracking or identification across sessions and devices through leaked account-specific details obtainable via the system binary.

Apple's security advisories confirm the issue was addressed by removing the relevant flags, with fixes available in iOS 18.2, iPadOS 18.2, and watchOS 11.2. Additional details are provided in the release notes at https://support.apple.com/en-us/121837 and https://support.apple.com/en-us/121843.

Details

CWE(s): NVD-CWE-noinfoCWE-863

Affected Products

apple

ipados

≤ 18.2

apple

iphone os

≤ 18.2

apple

watchos

≤ 11.2

References

https://support.apple.com/en-us/121837
Release Notes · product-security@apple.com
https://support.apple.com/en-us/121843
Release Notes · product-security@apple.com