CVE-2025-24103
Published: 27 January 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24103 is a symlink validation vulnerability (CWE-59) affecting macOS systems prior to the patched versions of macOS Sequoia 15.3, macOS Sonoma 14.7.3, and macOS Ventura 13.7.3. The flaw allows an app to bypass security restrictions and access protected user data due to insufficient checks on symbolic links during file operations. It has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating a medium-severity local confidentiality issue.
A local attacker can exploit this vulnerability by crafting a malicious app that leverages symlinks to read sensitive user data otherwise protected from unauthorized access. Exploitation requires low complexity and no special privileges (PR:N), but user interaction is necessary, such as running the app. Successful attacks result in high-impact unauthorized disclosure of confidential information without affecting integrity or availability.
Apple's security advisories detail the fix as improved symlink validation, urging users to update to macOS Sequoia 15.3, Sonoma 14.7.3, or Ventura 13.7.3. Relevant support pages include https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122069, and https://support.apple.com/en-us/122070, with additional full disclosure discussions at http://seclists.org/fulldisclosure/2025/Jan/15 and http://seclists.org/fulldisclosure/2025/Jan/16.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The symlink validation bypass directly enables unauthorized reading of protected local user data via a malicious app, mapping to T1005 Data from Local System.