CVE-2025-24085
Published: 27 January 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24085 is a use-after-free vulnerability (CWE-416) addressed by Apple through improved memory management. It affects multiple Apple operating systems, including iOS prior to version 18.3, iPadOS prior to 18.3 and 17.7.6, macOS Sequoia prior to 15.3, macOS Sonoma prior to 14.7.5, macOS Ventura prior to 13.7.5, tvOS prior to 18.3, visionOS prior to 2.3, and watchOS prior to 11.3.
The vulnerability enables a malicious application to elevate privileges. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating exploitation is possible over the network with low attack complexity, no required privileges or user interaction, and impacts confidentiality, integrity, and availability at a high level with a changed scope.
Apple security advisories confirm the issue is fixed in the specified versions across affected platforms. Mitigation details are available in the following support pages: https://support.apple.com/en-us/122066, https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122071, https://support.apple.com/en-us/122072, and https://support.apple.com/en-us/122073.
Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.
Details
- CWE(s)
- KEV Date Added
- 29 January 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free vulnerability directly enables a malicious application to elevate privileges on affected Apple platforms, matching Exploitation for Privilege Escalation.