Cyber Resilience

CVE-2024-54542

Critical

Published: 27 January 2025

Published
27 January 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0022 44.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54542 is a critical-severity Missing Authorization (CWE-862) vulnerability in Apple Safari. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-54542 is an authentication vulnerability resulting from improper state management, classified under CWE-862 (Missing Authorization). It affects Safari prior to version 18.2, iOS prior to 18.2, iPadOS prior to 18.2, macOS Sequoia prior to 15.2, and watchOS prior to 11.2. The flaw allows Private Browsing tabs to be accessed without authentication, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

The vulnerability can be exploited by a remote attacker requiring no privileges or user interaction, enabling network-based attacks with low complexity. Exploitation grants high confidentiality impact through unauthorized access to Private Browsing tabs and high availability impact on the affected system.

Apple's security advisories confirm the issue was fixed via improved state management in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, and watchOS 11.2. Mitigation requires updating to these versions or later, with further details available at https://support.apple.com/en-us/121837, https://support.apple.com/en-us/121839, https://support.apple.com/en-us/121843, and https://support.apple.com/en-us/121846.

EU & UK References

Vulnerability details

An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, watchOS 11.2. Private Browsing tabs may be accessed without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20626Same product: Apple Ipados
CVE-2025-31182Same product: Apple Ipados
CVE-2025-24150Same product: Apple Ipados
CVE-2023-43010Same product: Apple Ipados
CVE-2026-20667Same product: Apple Ipados
CVE-2025-43529Same product: Apple Ipados
CVE-2025-31277Same product: Apple Ipados
CVE-2025-31278Same product: Apple Ipados
CVE-2024-54551Same product: Apple Ipados
CVE-2025-31273Same product: Apple Ipados

Affected Assets

apple
safari
≤ 18.2
apple
ipados
≤ 18.2
apple
iphone os
≤ 18.2
apple
macos
≤ 15.2
apple
watchos
≤ 11.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly countering the missing authorization (CWE-862) that allows unauthenticated access to Private Browsing tabs.

prevent

Requires timely identification, reporting, and correction of the specific authentication flaw via patching to Safari 18.2 and related Apple OS versions.

prevent

Employs least privilege to restrict access to Private Browsing tabs only to authorized users or processes, mitigating improper state management bypasses.

References