CVE-2025-24232

Critical

Published: 31 March 2025

Published

31 March 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24232 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the macOS state management vulnerability, directly preventing malicious apps from accessing arbitrary files.

CM-11 User-installed Software good match

prevent

User-installed software restrictions block installation and execution of malicious apps that exploit this vulnerability to gain unauthorized file access.

AC-3 Access Enforcement partial match

prevent

Access enforcement mechanisms limit malicious apps' ability to bypass state management and read arbitrary files on the filesystem.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vulnerability enables malicious app to read arbitrary local files, directly facilitating T1005 (Data from Local System) for sensitive data/system info and T1552.001 (Credentials In Files) for credential exposure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to access arbitrary files.

Deeper analysisAI

CVE-2025-24232 is a critical vulnerability in Apple's macOS operating system stemming from inadequate state management, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It affects macOS Sequoia prior to version 15.4, macOS Sonoma prior to 14.7.5, and macOS Ventura prior to 13.7.5. The flaw enables a malicious app to access arbitrary files on the system, earning a CVSS v3.1 base score of 9.8 due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability by distributing a malicious app that users install and execute, requiring no additional privileges or interaction beyond initial app launch. Successful exploitation grants the app unauthorized read access to sensitive files across the filesystem, potentially exposing user data, credentials, or system information. The high CVSS impacts suggest broader disruption potential, including file modification or deletion, though the primary effect is arbitrary file access.

Apple's security advisories detail the fix through improved state management in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Security practitioners should prioritize patching affected systems, verify app sources, and monitor for anomalous app behavior. Relevant details are available in Apple support bulletins at https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, and https://support.apple.com/en-us/122375, along with full disclosure discussions on seclists.org.

Details

CWE(s): CWE-200

Affected Products

apple

macos

13.0 — 13.7.5 · 14.0 — 14.7.5 · 15.0 — 15.4

CVEs Like This One

CVE-2025-24246Same product: Apple Macos

CVE-2025-24146Same product: Apple Macos

CVE-2025-30424Same product: Apple Macos

CVE-2025-24263Same product: Apple Macos

CVE-2025-24204Same product: Apple Macos

CVE-2025-24109Same product: Apple Macos

CVE-2025-24253Same product: Apple Macos

CVE-2025-43189Same product: Apple Macos

CVE-2025-24250Same product: Apple Macos

CVE-2025-24174Same product: Apple Macos

References

https://support.apple.com/en-us/122373
Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122374
Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122375
Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/10
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/9
af854a3a-2127-422b-91ae-364da2661108