Cyber Posture

CVE-2025-24245

Critical

Published: 31 March 2025

Published
31 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 58.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may acquire credentials from Keychain.

Security Summary

CVE-2025-24245 is a critical vulnerability (CVSS 9.8) in macOS Sequoia prior to version 15.4, stemming from CWE-862 (Missing Authorization). It allows a malicious app to bypass protections and access a user's saved passwords by exploiting insufficient delays between verification code attempts. The issue was publicly disclosed on 2025-03-31.

An attacker with network access can exploit this vulnerability with low complexity, no privileges, and no user interaction required. By deploying or tricking a user into running a malicious app, the attacker can achieve high confidentiality, integrity, and availability impacts, specifically gaining unauthorized access to the victim's saved passwords.

Apple's advisory at https://support.apple.com/en-us/122373 states that the vulnerability is fixed in macOS Sequoia 15.4 by adding a delay between verification code attempts. Additional details appear in the Full Disclosure mailing list at http://seclists.org/fulldisclosure/2025/Apr/8. Security practitioners should prioritize updating affected systems to mitigate this risk.

Details

CWE(s)
CWE-862

Affected Products

apple
macos
≤ 15.4

MITRE ATT&CK Enterprise Techniques

T1555.001 Keychain Credential Access
Adversaries may acquire credentials from Keychain.
attack.mitre.org →
Why these techniques?

The vulnerability directly enables unauthorized access to saved passwords on macOS via a malicious app by bypassing authorization checks and rate limits on verification codes, mapping to credential access from the Keychain password store.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References