CVE-2025-24093

Critical

Published: 27 January 2025

Published

27 January 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 24.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24093 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Removable Media (T1025); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and MP-2 (Media Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Removable Media (T1025) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the macOS permissions flaw allowing apps unauthorized access to removable volumes.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations preventing apps from accessing removable volumes without user consent.

MP-2 Media Access good match

prevent

Restricts access to removable media volumes to authorized users or processes, mitigating unauthorized app access.

MITRE ATT&CK Enterprise TechniquesAI

T1025 Data from Removable Media Collection

Adversaries may search connected removable media on computers they have compromised to find files of interest.

attack.mitre.org →

T1052.001 Exfiltration over USB Exfiltration

Adversaries may attempt to exfiltrate data over a USB connected physical device.

attack.mitre.org →

Why these techniques?

The vulnerability permits malicious applications to read from and write to removable volumes like USB drives without user consent, directly facilitating data collection from removable media (T1025) and exfiltration over physical media via USB (T1052.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to access removable volumes without user consent.

Deeper analysisAI

CVE-2025-24093 is a permissions vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting Apple's macOS operating system. The issue allows an app to access removable volumes, such as USB drives, without user consent due to insufficient restrictions on permissions. It impacts macOS Sequoia versions prior to 15.4, macOS Sonoma prior to 14.7.3, and macOS Ventura prior to 13.7.3. The vulnerability received a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Any remote attacker can exploit this vulnerability by delivering a malicious app to a target system, enabling the app to read from or write to removable volumes without prompting the user. No special privileges or local access are needed, and exploitation requires only low complexity over the network. Successful exploitation grants the attacker unauthorized access to sensitive data on attached removable media, potentially allowing theft, modification, or deletion of files.

Apple's security advisories detail the fix through additional permissions restrictions in the specified macOS updates: Sequoia 15.4, Sonoma 14.7.3, and Ventura 13.7.3. Security practitioners should prioritize patching affected systems, as outlined in the referenced support pages (e.g., https://support.apple.com/en-us/122069), and monitor for full disclosure discussions on platforms like seclists.org.

Details

CWE(s): CWE-276

Affected Products

apple

macos

≤ 13.7.3 · 14.0 — 14.7.3

CVEs Like This One

CVE-2025-24267Same product: Apple Macos

CVE-2025-24277Same product: Apple Macos

CVE-2025-24234Same product: Apple Macos

CVE-2025-24170Same product: Apple Macos

CVE-2025-24207Same product: Apple Macos

CVE-2025-24172Same product: Apple Macos

CVE-2025-24135Same product: Apple Macos

CVE-2025-24195Same product: Apple Macos

CVE-2025-24176Same product: Apple Macos

CVE-2025-30452Same product: Apple Macos

References

https://support.apple.com/en-us/122069
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122070
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122373
product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jan/16
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jan/17
af854a3a-2127-422b-91ae-364da2661108