CVE-2025-24173

HighLPE

Published: 31 March 2025

Published

31 March 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24173 is a high-severity Improper Access Control (CWE-284) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations including entitlement checks to prevent apps from accessing resources outside their sandbox.

SC-39 Process Isolation good match

prevent

Maintains process isolation to block sandbox escapes by confining apps to designated security boundaries.

AC-25 Reference Monitor good match

prevent

Implements a tamper-proof reference monitor to mediate all access decisions, directly countering improper entitlement enforcement in sandboxes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Sandbox escape via improper entitlement checks directly enables exploitation for privilege escalation, allowing an app to access unauthorized system resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. An app may be able…

to break out of its sandbox.

Deeper analysisAI

CVE-2025-24173 is a sandbox escape vulnerability (CWE-284: Improper Access Control) affecting multiple Apple operating systems, including iOS prior to version 18.4, iPadOS prior to 18.4 and 17.7.6, macOS Sequoia prior to 15.4, macOS Sonoma prior to 14.7.5, macOS Ventura prior to 13.7.5, tvOS prior to 18.4, visionOS prior to 2.4, and watchOS prior to 11.4. Published on 2025-03-31, the issue stems from insufficient entitlement checks, enabling an app to break out of its designated sandbox. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a local attacker with no required privileges, provided they have local access and can induce user interaction, such as running a malicious app. Upon execution, the app escapes its sandbox confines, potentially granting high-impact access to unauthorized system resources, compromising confidentiality, integrity, and availability without changing scope.

Apple security advisories detail that the issue was mitigated through additional entitlement checks, with fixes available in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, and watchOS 11.4. Practitioners should prioritize updating affected devices. Further details are in the advisories at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122372, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, and https://support.apple.com/en-us/122375.

Details

CWE(s): CWE-284

Affected Products

apple

ipados

≤ 17.7.6 · 18.0 — 18.4

apple

iphone os

≤ 18.4

apple

macos

≤ 13.7.5 · 14.0 — 14.7.5 · 15.0 — 15.4

apple

tvos

≤ 18.4

apple

visionos

≤ 2.4

CVEs Like This One

CVE-2026-20628Same product: Apple Ipados

CVE-2025-43510Same product: Apple Ipados

CVE-2025-24159Same product: Apple Ipados

CVE-2026-20700Same product: Apple Ipados

CVE-2025-43520Same product: Apple Ipados

CVE-2025-24085Same product: Apple Ipados

CVE-2026-20698Same product: Apple Ipados

CVE-2026-28876Same product: Apple Ipados

CVE-2025-24238Same product: Apple Ipados

CVE-2026-20688Same product: Apple Ipados

References

https://support.apple.com/en-us/122371
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122372
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122373
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122374
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122375
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122376
product-security@apple.com
https://support.apple.com/en-us/122377
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122378
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/10
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/11
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/12
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/13
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/4
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/5
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/9
af854a3a-2127-422b-91ae-364da2661108