Cyber Resilience

CVE-2024-54523

Medium

Published: 27 January 2025

Published
27 January 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
EPSS Score 0.0027 50.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54523 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-54523 is a vulnerability addressed through improved bounds checks, classified under CWE-787 (Out-of-bounds Write). It affects Apple operating systems prior to the following versions: iOS 18.2, iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, and watchOS 11.2. The flaw allows an app to corrupt coprocessor memory, with a CVSS v3.1 base score of 6.3 (AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).

A local attacker with no privileges required can exploit this vulnerability by tricking a user into interacting with a malicious app, such as through social engineering to install or execute it. Successful exploitation enables high integrity impact by corrupting coprocessor memory, potentially leading to arbitrary code execution or other system disruptions within the changed scope, though it does not directly affect confidentiality or availability.

Apple security advisories, detailed in support documents such as https://support.apple.com/en-us/121837, https://support.apple.com/en-us/121839, https://support.apple.com/en-us/121843, and https://support.apple.com/en-us/121844, confirm the issue was fixed via improved bounds checks in the listed software updates. Mitigation requires applying these patches promptly to vulnerable systems.

EU & UK References

Vulnerability details

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, watchOS 11.2. An app may be able to corrupt coprocessor memory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Out-of-bounds write in client app enables local memory corruption leading to code execution/privilege escalation after user runs malicious app.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-54522Same product: Apple Ipados
CVE-2024-54517Same product: Apple Ipados
CVE-2025-43209Same product: Apple Ipados
CVE-2025-43202Same product: Apple Ipados
CVE-2024-54543Same product: Apple Ipados
CVE-2026-20616Same product: Apple Ipados
CVE-2025-43300Same product: Apple Ipados
CVE-2026-20698Same product: Apple Ipados
CVE-2025-24107Same product: Apple Ipados
CVE-2026-28990Same product: Apple Ipados

Affected Assets

apple
ipados
≤ 18.2
apple
iphone os
≤ 18.2
apple
macos
≤ 15.2
apple
tvos
≤ 18.2
apple
watchos
≤ 11.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, reporting, and correcting the out-of-bounds write flaw via timely patching as provided in Apple updates.

prevent

Implements memory safeguards such as non-executable memory regions and isolation to prevent exploitation of coprocessor memory corruption.

prevent

Enforces bounds checking and input validation to block out-of-bounds writes that corrupt coprocessor memory.

References