Cyber Posture

CVE-2025-24102

Critical

Published: 27 January 2025

Published
27 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 37.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24102 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Location Discovery (T1614); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to System Location Discovery (T1614). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of software flaws like the insufficient location checks exploited in CVE-2025-24102, directly enabling patching to updated iPadOS and macOS versions.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations and access control checks to prevent apps from bypassing restrictions and determining user location.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Provides vulnerability scanning and monitoring to identify exposures like CVE-2025-24102 in affected Apple OS versions for prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1614 System Location Discovery Discovery
attack.mitre.org →
Why these techniques?

The vulnerability directly enables unauthorized access to a user's current location via a malicious app, mapping to System Location Discovery (T1614).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user’s current location.

Deeper analysisAI

CVE-2025-24102 is a vulnerability that allows an app to determine a user’s current location, addressed through improved checks. It affects iPadOS versions prior to 17.7.4, macOS Sequoia prior to 15.3, macOS Sonoma prior to 14.7.3, and macOS Ventura prior to 13.7.3. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables exploitation over the network with low complexity, requiring no privileges or user interaction. An attacker can leverage a malicious app to gain high-impact access, including unauthorized determination of the user’s current location, potentially compromising confidentiality, integrity, and availability.

Apple advisories confirm the issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, and macOS Ventura 13.7.3 via improved checks. Mitigation requires updating affected systems to these patched versions, with details available in support documents at https://support.apple.com/en-us/122067, https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122069, https://support.apple.com/en-us/122070, and http://seclists.org/fulldisclosure/2025/Jan/14.

Details

CWE(s)
CWE-200

Affected Products

apple
ipados
≤ 17.7.4
apple
macos
13.0 — 13.7.3 · 14.0 — 14.7.3 · 15.0 — 15.3

CVEs Like This One

CVE-2025-31279Same product: Apple Ipados
CVE-2026-20606Same product: Apple Ipados
CVE-2025-43189Same product: Apple Macos
CVE-2025-24109Same product: Apple Macos
CVE-2025-24118Same product: Apple Ipados
CVE-2025-24246Same product: Apple Macos
CVE-2025-30465Same product: Apple Ipados
CVE-2025-24250Same product: Apple Macos
CVE-2025-24146Same product: Apple Macos
CVE-2025-43222Same product: Apple Ipados

References