Cyber Resilience

CVE-2024-27821

Medium

Published: 14 May 2024

Published
14 May 2024
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0236 85.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27821 is a medium-severity Path Traversal (CWE-22) vulnerability in Apple Ipados. Its CVSS base score is 4.7 (Medium).

Operationally, ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A path handling issue addressed through improved input validation affects the Shortcuts feature on Apple platforms. The vulnerability, tracked as CVE-2024-27821 and assigned CWE-22, impacts iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, and watchOS 10.5. It allows a shortcut to output sensitive user data without explicit consent, producing a CVSS 4.7 vector that requires local access, high attack complexity, and user interaction.

An attacker can supply a malicious shortcut that an unsuspecting user runs on an affected device. Successful exploitation results in unauthorized disclosure of sensitive information while leaving integrity and availability untouched.

Apple security advisories for the May 2024 updates state that the issue is resolved in iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and watchOS 10.5; users should install the patches to prevent the unintended data exposure.

The EPSS score rose from a low baseline to a peak of 0.0555 on 2026-02-10 before receding to its current value of 0.0236, indicating a measurable increase in exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A path handling issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, watchOS 10.5. A shortcut may output sensitive user data without consent.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 17.5
apple
iphone os
≤ 17.5
apple
macos
14.0 — 14.5
apple
watchos
≤ 10.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References