CVE-2025-24109

Medium

Published: 27 January 2025

Published

27 January 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Score 0.0010 27.2th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24109 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apple Macos. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-14 Signed Components good match

prevent

Requires signed components, directly enforcing code-signing restrictions to prevent apps from exploiting the downgrade vulnerability to access sensitive user data.

SI-7 Software, Firmware, and Information Integrity good match

prevent

Verifies software integrity using digital signatures, mitigating the code-signing downgrade that allows unauthorized app access to sensitive data.

SI-2 Flaw Remediation good match

prevent

Identifies, reports, and remediates system flaws like this macOS downgrade vulnerability through timely patching to the fixed versions.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables access to sensitive user data on the local system via a malicious app (T1005) and requires user execution of that malicious file to trigger exploitation (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to access sensitive user data.

Deeper analysisAI

CVE-2025-24109 is a downgrade vulnerability in macOS, addressed through additional code-signing restrictions. It affects macOS Sequoia versions prior to 15.3, macOS Sonoma prior to 14.7.3, and macOS Ventura prior to 13.7.3. The issue, associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), allows an app to access sensitive user data, with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A local attacker can exploit this vulnerability with low complexity and no required privileges, but user interaction is necessary, such as running a malicious app. Successful exploitation enables high-impact confidentiality violations, permitting access to sensitive user data without altering integrity or availability.

Apple's security advisories confirm the fix in macOS Sequoia 15.3, Sonoma 14.7.3, and Ventura 13.7.3, recommending immediate updates for mitigation. Further details appear in Apple's security content pages (support.apple.com/en-us/122068, 122069, 122070) and Full Disclosure mailing list posts from January 2025 (seclists.org/fulldisclosure/2025/Jan/15, 16).

Details

CWE(s): NVD-CWE-noinfo CWE-200

Affected Products

apple

macos

≤ 13.7.3 · 14.0 — 14.7.3 · 15.0 — 15.3

CVEs Like This One

CVE-2025-24246Same product: Apple Macos

CVE-2025-24146Same product: Apple Macos

CVE-2025-30424Same product: Apple Macos

CVE-2025-24263Same product: Apple Macos

CVE-2025-24204Same product: Apple Macos

CVE-2025-24253Same product: Apple Macos

CVE-2025-24232Same product: Apple Macos

CVE-2025-43189Same product: Apple Macos

CVE-2025-24250Same product: Apple Macos

CVE-2025-24174Same product: Apple Macos

References

https://support.apple.com/en-us/122068
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122069
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122070
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Jan/15
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jan/16
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jan/17
af854a3a-2127-422b-91ae-364da2661108