CVE-2025-30462
Published: 31 March 2025
Description
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.
Security Summary
CVE-2025-30462 is a library injection vulnerability (CWE-284: Improper Access Control) affecting macOS systems prior to the patched versions. The issue allows apps that appear to use App Sandbox to launch without restrictions, enabling unauthorized bypass of sandbox protections. It was addressed with additional restrictions in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as injecting malicious libraries to evade App Sandbox and gain elevated privileges or execute arbitrary code on targeted macOS systems.
Apple security advisories detail the fix through additional library injection restrictions in the specified macOS updates. Practitioners should apply macOS Sequoia 15.4, Sonoma 14.7.5, or Ventura 13.7.5 immediately. Further details are available in Apple's updates at https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, and https://support.apple.com/en-us/122375, along with full disclosure notes at http://seclists.org/fulldisclosure/2025/Apr/10 and http://seclists.org/fulldisclosure/2025/Apr/8.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables library injection by bypassing macOS App Sandbox (improper access control), directly facilitating Dylib Hijacking for code execution, Exploitation for Privilege Escalation to gain elevated access, and Exploitation for Defense Evasion to subvert sandbox protections.