CVE-2025-24137
Published: 27 January 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-24137 is a type confusion vulnerability (CWE-843) addressed through improved checks in multiple Apple operating systems. It affects iOS prior to version 18.3, iPadOS prior to 18.3 and 17.7.4, macOS Sequoia prior to 15.3, macOS Sonoma prior to 14.7.3, tvOS prior to 18.3, and visionOS prior to 2.3. The flaw allows an attacker on the local network to corrupt process memory, earning a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An adjacent network attacker with no privileges can exploit this vulnerability by tricking a user into interacting with malicious content, such as clicking a link or opening a file. Successful exploitation leads to high-impact consequences, including unauthorized access to sensitive data (confidentiality), modification of system resources (integrity), and disruption of services (availability) through process memory corruption.
Apple's security advisories detail mitigations via software updates, with the issue fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, tvOS 18.3, and visionOS 2.3. Security practitioners should prioritize patching affected devices and advise users to avoid interacting with untrusted local network content. Relevant advisories are available at support.apple.com/en-us/122066, 122067, 122068, 122069, and 122072.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The type confusion vulnerability enables an adjacent network attacker to achieve process memory corruption and high-impact code execution by tricking a user into interacting with malicious content (e.g., link or file), directly mapping to client-side exploitation.