CVE-2025-24263
Published: 31 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24263 is a privacy vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) affecting macOS prior to Sequoia 15.4, where sensitive user data was stored in an unprotected location, allowing an app to observe it. Apple addressed the issue by relocating the data to a protected area. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
A remote attacker with network access can exploit this vulnerability without authentication, privileges, or user interaction, enabling an app to access and potentially exfiltrate unprotected sensitive user data. The unchanged scope suggests the impact remains within the affected component, but the high confidentiality impact allows observation of private information, while integrity and availability impacts could enable data tampering or denial of access.
Apple's security advisory at https://support.apple.com/en-us/122373 details the fix in macOS Sequoia 15.4, recommending users update to this version for mitigation. Additional disclosure is available at http://seclists.org/fulldisclosure/2025/Apr/8.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability exposes sensitive user data stored in an unprotected local location on macOS, directly enabling an app to access and collect it from the local system without restrictions.