CVE-2024-54530

CVE-2024-54530 is a vulnerability in the password autofill feature on Apple devices, where passwords may be filled in even after authentication fails. The issue stems from insufficient checks, classified under CWE-863 (Incorrect Authorization), and affects iOS prior to 18.2, iPadOS prior to 18.2, macOS Sequoia prior to 15.2, visionOS prior to 2.2, and watchOS prior to 11.2. It has a CVSS v3.1 base score of 9.1, indicating critical severity due to high confidentiality and integrity impacts.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). An attacker could leverage this to bypass authentication mechanisms in password autofill, potentially disclosing sensitive credentials or enabling unauthorized access to autofill-saved passwords.

Apple addressed the issue through improved checks, as detailed in their security updates. The patches are available in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, visionOS 2.2, and watchOS 11.2. Relevant advisories are published at https://support.apple.com/en-us/121837, https://support.apple.com/en-us/121839, https://support.apple.com/en-us/121843, and https://support.apple.com/en-us/121845.