CVE-2025-24172
Published: 31 March 2025
Summary
CVE-2025-24172 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the permissions flaw by applying vendor patches in macOS Sequoia 15.4, Sonoma 14.7.5, and Ventura 13.7.5 that add sandbox restrictions.
Enforces controls on information flows to block unauthorized remote content from loading in Mail previews despite the 'Block All Remote Content' setting.
Implements sandbox-based access enforcement to address the permissions issue allowing unintended remote resource access in the Mail application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses the 'Block All Remote Content' setting in the macOS Mail app during email previews, directly enabling attackers to load remote resources from malicious emails without user interaction, which facilitates spearphishing link attacks.
NVD Description
A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. "Block All Remote Content" may not apply for all mail previews.
Deeper analysisAI
CVE-2025-24172 is a permissions issue, classified under CWE-276, affecting the Mail application on macOS. Specifically, the "Block All Remote Content" setting may not apply to all mail previews, allowing unintended access to remote resources. The vulnerability impacts macOS Sequoia versions prior to 15.4, macOS Sonoma versions prior to 14.7.5, and macOS Ventura versions prior to 13.7.5.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs when a targeted user previews a malicious email, potentially enabling attackers to load remote content and achieve high impacts on confidentiality, integrity, and availability.
Apple's security advisories detail the fix through additional sandbox restrictions, resolving the issue in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Security practitioners should prioritize updating affected systems, with further mitigation guidance available in Apple's support documents at https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, and https://support.apple.com/en-us/122375.
Details
- CWE(s)