CVE-2025-24146
Published: 27 January 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24146 is a vulnerability in the Messages application on macOS systems, where deleting a conversation may expose user contact information in system logging due to inadequate redaction of sensitive information. The affected versions include macOS Sequoia prior to 15.3, macOS Sonoma prior to 14.7.3, and macOS Ventura prior to 13.7.3. Published on 2025-01-27, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Remote attackers can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Exploitation enables access to exposed user contact information within system logs, resulting in high impacts on confidentiality, integrity, and availability as scored by CVSS.
Apple advisories confirm the issue was fixed through improved redaction of sensitive information in macOS Sequoia 15.3, macOS Sonoma 14.7.3, and macOS Ventura 13.7.3. Security practitioners should apply these updates promptly to mitigate exposure risks, with detailed information available in Apple support documents at https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122069, https://support.apple.com/en-us/122070, and Full Disclosure mailing list posts at http://seclists.org/fulldisclosure/2025/Jan/15 and http://seclists.org/fulldisclosure/2025/Jan/16.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability exposes sensitive user contact information in system logs due to inadequate redaction, directly facilitating adversary access to data from the local system.