CVE-2025-24238
Published: 31 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24238 is a logic issue addressed through improved checks, enabling an app to gain elevated privileges. The vulnerability affects Apple's iOS prior to version 18.4, iPadOS prior to 18.4, macOS Sequoia prior to 15.4, macOS Sonoma prior to 14.7.5, macOS Ventura prior to 13.7.5, tvOS prior to 18.4, and watchOS prior to 11.4. It is classified under CWE-276 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability effects.
A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network with low complexity. Exploitation allows a malicious app to elevate its privileges, potentially compromising the affected device by accessing sensitive data, modifying system behavior, or disrupting operations.
Apple's security advisories detail the fix via improved checks in the listed software updates, recommending immediate patching to iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, or watchOS 11.4. Further details are available in the referenced support documents at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, https://support.apple.com/en-us/122375, and https://support.apple.com/en-us/122376.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a logic flaw (CWE-276) that directly enables an app to gain elevated privileges without authentication or user interaction, matching the definition of exploiting a software vulnerability for privilege escalation.