CVE-2025-24146

Critical

Published: 27 January 2025

Published

27 January 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24146 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-19 (De-identification).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-19 De-identification good match

prevent

Requires de-identification of PII such as user contact information, directly mitigating inadequate redaction that exposes it in system logs during conversation deletion.

AU-13 Monitoring for Information Disclosure good match

detect

Monitors systems for information disclosures, enabling identification of sensitive user contact information exposed in system logging.

AU-9 Protection of Audit Information partial match

prevent

Protects audit information and system logs from unauthorized access, limiting exploitation of unredacted sensitive contact data.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability exposes sensitive user contact information in system logs due to inadequate redaction, directly facilitating adversary access to data from the local system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. Deleting a conversation in Messages may expose user contact information in system logging.

Deeper analysisAI

CVE-2025-24146 is a vulnerability in the Messages application on macOS systems, where deleting a conversation may expose user contact information in system logging due to inadequate redaction of sensitive information. The affected versions include macOS Sequoia prior to 15.3, macOS Sonoma prior to 14.7.3, and macOS Ventura prior to 13.7.3. Published on 2025-01-27, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Remote attackers can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Exploitation enables access to exposed user contact information within system logs, resulting in high impacts on confidentiality, integrity, and availability as scored by CVSS.

Apple advisories confirm the issue was fixed through improved redaction of sensitive information in macOS Sequoia 15.3, macOS Sonoma 14.7.3, and macOS Ventura 13.7.3. Security practitioners should apply these updates promptly to mitigate exposure risks, with detailed information available in Apple support documents at https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122069, https://support.apple.com/en-us/122070, and Full Disclosure mailing list posts at http://seclists.org/fulldisclosure/2025/Jan/15 and http://seclists.org/fulldisclosure/2025/Jan/16.

Details

CWE(s): CWE-200

Affected Products

apple

macos

≤ 13.7.3 · 14.0 — 14.7.3 · 15.0 — 15.3

CVEs Like This One

CVE-2025-24246Same product: Apple Macos

CVE-2025-30424Same product: Apple Macos

CVE-2025-24263Same product: Apple Macos

CVE-2025-24204Same product: Apple Macos

CVE-2025-24109Same product: Apple Macos

CVE-2025-24253Same product: Apple Macos

CVE-2025-24232Same product: Apple Macos

CVE-2025-43189Same product: Apple Macos

CVE-2025-24229Same product: Apple Macos

CVE-2025-24181Same product: Apple Macos

References

https://support.apple.com/en-us/122068
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122069
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122070
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Jan/15
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jan/16
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jan/17
af854a3a-2127-422b-91ae-364da2661108