CVE-2025-24103
Published: 27 January 2025
Summary
CVE-2025-24103 is a medium-severity Link Following (CWE-59) vulnerability in Apple Macos. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient symlink validation by requiring checks on file path inputs to prevent unauthorized access to protected data.
Remediates the specific symlink flaw through timely identification, reporting, and application of vendor patches like macOS updates.
Enforces access control policies to block apps from bypassing restrictions and accessing protected user data via symlinks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The symlink validation bypass directly enables unauthorized reading of protected local user data via a malicious app, mapping to T1005 Data from Local System.
NVD Description
This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to access protected user data.
Deeper analysisAI
CVE-2025-24103 is a symlink validation vulnerability (CWE-59) affecting macOS systems prior to the patched versions of macOS Sequoia 15.3, macOS Sonoma 14.7.3, and macOS Ventura 13.7.3. The flaw allows an app to bypass security restrictions and access protected user data due to insufficient checks on symbolic links during file operations. It has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating a medium-severity local confidentiality issue.
A local attacker can exploit this vulnerability by crafting a malicious app that leverages symlinks to read sensitive user data otherwise protected from unauthorized access. Exploitation requires low complexity and no special privileges (PR:N), but user interaction is necessary, such as running the app. Successful attacks result in high-impact unauthorized disclosure of confidential information without affecting integrity or availability.
Apple's security advisories detail the fix as improved symlink validation, urging users to update to macOS Sequoia 15.3, Sonoma 14.7.3, or Ventura 13.7.3. Relevant support pages include https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122069, and https://support.apple.com/en-us/122070, with additional full disclosure discussions at http://seclists.org/fulldisclosure/2025/Jan/15 and http://seclists.org/fulldisclosure/2025/Jan/16.
Details
- CWE(s)