CVE-2025-24180
Published: 31 March 2025
Summary
CVE-2025-24180 is a high-severity Open Redirect (CWE-601) vulnerability in Apple Safari. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
The CVE was caused by insufficient input validation in WebAuthn allowing cross-site credential claims, which SI-10 directly and comprehensively addresses by mandating input validation at critical points.
SI-2 requires timely flaw remediation, directly mitigating this CVE by ensuring patches like Safari 18.4 are identified, tested, and applied to correct the WebAuthn vulnerability.
RA-5 supports detection of CVE-2025-24180 through vulnerability scanning of Apple browsers and OSes, enabling proactive patching before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables credential theft via malicious website exploiting WebAuthn validation flaw, directly mapping to spearphishing link delivery and stealing credentials from web browsers.
NVD Description
The issue was addressed with improved input validation. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. A malicious website may be able to claim WebAuthn credentials from another website…
more
that shares a registrable suffix.
Deeper analysisAI
CVE-2025-24180 is a vulnerability in the WebAuthn implementation that allows a malicious website to claim credentials registered to another website sharing a registrable suffix, due to insufficient input validation. The issue affects Apple's Safari browser and operating systems including iOS 18.4 and earlier, iPadOS 18.4 and earlier, macOS Sequoia 15.4 and earlier, visionOS 2.4 and earlier, and watchOS 11.4 and earlier. It is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-601 (URL Redirection to Untrusted Site).
An attacker can exploit this vulnerability by hosting a malicious website that tricks a user into interacting with it, such as during WebAuthn registration or authentication. No special privileges are required, but user interaction is necessary, typically via visiting the site and approving a credential operation. Successful exploitation enables the attacker to access high-integrity WebAuthn credentials (like FIDO2 passkeys) from a legitimate site with a shared domain suffix, potentially compromising user authentication on that site without impacting availability.
Apple security advisories confirm the vulnerability was addressed through improved input validation in Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, and watchOS 11.4. Users are advised to update to these versions promptly, as detailed in the referenced support pages (https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, https://support.apple.com/en-us/122378, https://support.apple.com/en-us/122379).
Details
- CWE(s)