CVE-2025-24167
Published: 31 March 2025
Summary
CVE-2025-24167 is a critical-severity an unspecified weakness vulnerability in Apple Safari. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 48.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-16 (Security and Privacy Attributes).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely flaw remediation through patching to versions with improved download origin state management.
Enforces information flow control policies based on origin, preventing incorrect association that enables cross-origin resource manipulation during downloads.
Manages security attributes like download origin to ensure proper association and block unauthorized data handling or security bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Browser vulnerability allowing remote no-interaction exploitation via flawed download origin association enables drive-by compromise (T1189) and client application exploitation for code execution (T1203).
NVD Description
This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, watchOS 11.4. A download's origin may be incorrectly associated.
Deeper analysisAI
CVE-2025-24167 is a high-severity vulnerability in Apple's ecosystem where a download's origin may be incorrectly associated, potentially leading to security bypasses. The issue affects Safari prior to version 18.4, iOS prior to 18.4, iPadOS prior to 18.4, macOS Sequoia prior to 15.4, and watchOS prior to 11.4. It was published on 2025-03-31 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its network accessibility, low attack complexity, and lack of prerequisites.
A remote attacker with no privileges or user interaction can exploit this vulnerability over the network. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, stemming from the flawed origin association during downloads, which might enable actions like cross-origin resource manipulation or unauthorized data handling.
Apple's security advisories detail that the vulnerability was addressed through improved state management. It is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, and watchOS 11.4. Practitioners should prioritize updating affected devices; relevant advisories are available at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, https://support.apple.com/en-us/122379, and http://seclists.org/fulldisclosure/2025/Apr/13.
Details
- CWE(s)