CVE-2025-24170
Published: 31 March 2025
Summary
CVE-2025-24170 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the file handling logic flaw by requiring timely identification, reporting, and remediation through patches like macOS Sonoma 14.7.5 and Ventura 13.7.5.
Restricts or controls user-installed software, preventing malicious apps from being installed and executed to exploit the privilege escalation vulnerability.
Enforces least privilege for processes and users, limiting the scope and impact of root privilege escalation resulting from the incorrect default permissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local privilege escalation vulnerability (CWE-276 incorrect default permissions in file handling) that allows a malicious app to gain root access on macOS, directly enabling T1068 Exploitation for Privilege Escalation.
NVD Description
A logic issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to gain root privileges.
Deeper analysisAI
CVE-2025-24170 is a logic issue in file handling that affects macOS Sonoma prior to version 14.7.5 and macOS Ventura prior to version 13.7.5. Classified under CWE-276 (Incorrect Default Permissions), the vulnerability enables an app to gain root privileges. It received a CVSS v3.1 base score of 7.8 (High), reflecting its potential severity in privilege escalation scenarios. The issue was published on 2025-03-31.
The attack requires local access (AV:L) with low complexity (AC:L), no prior privileges (PR:N), and user interaction (UI:R), with no change in scope (S:U). A local attacker could exploit this by tricking a user into interacting with a malicious app, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), ultimately resulting in root privilege escalation.
Apple mitigated the vulnerability through improved file handling in macOS Sonoma 14.7.5 and macOS Ventura 13.7.5. Practitioners should apply these updates promptly. Further details appear in Apple's security content at https://support.apple.com/en-us/122374 and https://support.apple.com/en-us/122375, as well as Full Disclosure mailing list posts at http://seclists.org/fulldisclosure/2025/Apr/10 and http://seclists.org/fulldisclosure/2025/Apr/9.
Details
- CWE(s)