CVE-2025-24174
Published: 27 January 2025
Description
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions.
Security Summary
CVE-2025-24174 is a vulnerability in macOS that allows an app to bypass Privacy preferences. The issue was addressed through improved checks and is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, and macOS Ventura 13.7.3, indicating that earlier versions of these macOS releases are affected. It has a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), though NVD-CWE-noinfo is also listed.
A local attacker can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Successful exploitation enables high-impact confidentiality and integrity violations, such as an app accessing or modifying protected privacy settings and potentially sensitive user data that would otherwise be restricted.
Apple's security advisories detail the patches in the specified macOS updates, recommending users apply them promptly to mitigate the bypass of Privacy preferences. Additional details are available in the referenced support pages (https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122069, https://support.apple.com/en-us/122070) and Full Disclosure mailing list posts (http://seclists.org/fulldisclosure/2025/Jan/15, http://seclists.org/fulldisclosure/2025/Jan/16).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability directly enables bypassing and modifying macOS Privacy preferences (TCC controls), facilitating unauthorized access to restricted resources as described in T1548.006 TCC Manipulation.