Cyber Resilience

CVE-2021-30713

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 September 2021

Published
08 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.3th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30713 is a high-severity Missing Authorization (CWE-862) vulnerability in Apple Mac Os X. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 23.3th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

A permissions issue stemming from insufficient validation was present in macOS Big Sur prior to version 11.4. The flaw, tracked as CVE-2021-30713 and assigned CWE-862, resides in the system's handling of application permissions and allows a malicious application to bypass Privacy preferences that would otherwise restrict access to sensitive user data or system resources.

An attacker with the ability to execute a malicious application on an affected system can exploit the vulnerability locally without user interaction. Successful exploitation grants the application elevated access equivalent to bypassing intended privacy controls, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 7.8 score.

Apple addressed the issue in the macOS Big Sur 11.4 update released on 24 May 2021. The vendor's security advisory (HT212529) and related disclosures explicitly recommend installing the update to remediate the permissions validation weakness.

Apple has stated it is aware of reports indicating the vulnerability may have been actively exploited in the wild prior to patching.

EU & UK References

Vulnerability details

A permissions issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively…

more

exploited..

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
mac os x
10.15.7 · 10.15 — 10.15.7
apple
macos
≤ 11.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access decisions for privacy preferences that the CVE's insufficient validation allowed a malicious app to bypass.

prevent

Requires timely installation of the macOS 11.4 update that remediates the permissions-validation flaw.

prevent

Addresses the root cause of inadequate validation when the system processes application permission requests.

References