CVE-2024-27821
Published: 14 May 2024
Summary
CVE-2024-27821 is a medium-severity Path Traversal (CWE-22) vulnerability in Apple Ipados. Its CVSS base score is 4.7 (Medium).
Operationally, ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A path handling issue addressed through improved input validation affects the Shortcuts feature on Apple platforms. The vulnerability, tracked as CVE-2024-27821 and assigned CWE-22, impacts iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, and watchOS 10.5. It allows a shortcut to output sensitive user data without explicit consent, producing a CVSS 4.7 vector that requires local access, high attack complexity, and user interaction.
An attacker can supply a malicious shortcut that an unsuspecting user runs on an affected device. Successful exploitation results in unauthorized disclosure of sensitive information while leaving integrity and availability untouched.
Apple security advisories for the May 2024 updates state that the issue is resolved in iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and watchOS 10.5; users should install the patches to prevent the unintended data exposure.
The EPSS score rose from a low baseline to a peak of 0.0555 on 2026-02-10 before receding to its current value of 0.0236, indicating a measurable increase in exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25014
Vulnerability details
A path handling issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, watchOS 10.5. A shortcut may output sensitive user data without consent.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.