CVE-2025-31188
Published: 31 March 2025
Description
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions.
Security Summary
CVE-2025-31188 is a race condition vulnerability, classified under CWE-362, that was addressed through additional validation in macOS. It affects macOS Sequoia versions prior to 15.4, macOS Sonoma prior to 14.7.5, and macOS Ventura prior to 13.7.5, enabling an application to bypass Privacy preferences.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A local attacker requires no privileges but must induce user interaction, such as running a malicious application, to exploit the race condition and bypass privacy controls, potentially achieving high confidentiality, integrity, and availability impacts by accessing or manipulating protected user data.
Apple's security advisories confirm the issue was fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5 via additional validation. Mitigation involves updating to these patched versions, with further details available in the referenced Apple support pages (https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, https://support.apple.com/en-us/122375) and Full Disclosure archives (http://seclists.org/fulldisclosure/2025/Apr/10, http://seclists.org/fulldisclosure/2025/Apr/8).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Race condition enables bypass of macOS Privacy preferences/TCC controls, directly facilitating T1548.006 TCC Manipulation for unauthorized access to protected resources.