Cyber Posture

CVE-2024-54542

Critical

Published: 27 January 2025

Published
27 January 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0022 44.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54542 is a critical-severity Missing Authorization (CWE-862) vulnerability in Apple Safari. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly countering the missing authorization (CWE-862) that allows unauthenticated access to Private Browsing tabs.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the specific authentication flaw via patching to Safari 18.2 and related Apple OS versions.

AC-6 Least Privilege good match
prevent

Employs least privilege to restrict access to Private Browsing tabs only to authorized users or processes, mitigating improper state management bypasses.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, watchOS 11.2. Private Browsing tabs may be accessed without authentication.

Deeper analysisAI

CVE-2024-54542 is an authentication vulnerability resulting from improper state management, classified under CWE-862 (Missing Authorization). It affects Safari prior to version 18.2, iOS prior to 18.2, iPadOS prior to 18.2, macOS Sequoia prior to 15.2, and watchOS prior to 11.2. The flaw allows Private Browsing tabs to be accessed without authentication, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

The vulnerability can be exploited by a remote attacker requiring no privileges or user interaction, enabling network-based attacks with low complexity. Exploitation grants high confidentiality impact through unauthorized access to Private Browsing tabs and high availability impact on the affected system.

Apple's security advisories confirm the issue was fixed via improved state management in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, and watchOS 11.2. Mitigation requires updating to these versions or later, with further details available at https://support.apple.com/en-us/121837, https://support.apple.com/en-us/121839, https://support.apple.com/en-us/121843, and https://support.apple.com/en-us/121846.

Details

CWE(s)
CWE-862

Affected Products

apple
safari
≤ 18.2
apple
ipados
≤ 18.2
apple
iphone os
≤ 18.2
apple
macos
≤ 15.2
apple
watchos
≤ 11.2

CVEs Like This One

CVE-2026-20626Same product: Apple Ipados
CVE-2025-31182Same product: Apple Ipados
CVE-2026-20667Same product: Apple Ipados
CVE-2025-24150Same product: Apple Ipados
CVE-2023-43010Same product: Apple Ipados
CVE-2025-43529Same product: Apple Ipados
CVE-2025-31273Same product: Apple Ipados
CVE-2024-54543Same product: Apple Ipados
CVE-2025-31278Same product: Apple Ipados
CVE-2024-54551Same product: Apple Ipados

References