CVE-2025-24253

Critical

Published: 31 March 2025

Published

31 March 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24253 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by remediating the specific symlink handling flaw through timely application of vendor security patches.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to block apps from bypassing protections and accessing sensitive user data via symlinks.

SC-4 Information in Shared System Resources partial match

prevent

Prevents unauthorized information disclosure through shared system resources exploited by improper symlink handling.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated access to protected user data via symlink mishandling directly enables T1190 (exploiting public-facing apps for initial access) and facilitates T1005 (collecting sensitive data from local system).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access protected user data.

Deeper analysisAI

CVE-2025-24253 is a vulnerability in macOS involving improper handling of symlinks, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It affects macOS Sequoia prior to version 15.4, macOS Sonoma prior to 14.7.5, and macOS Ventura prior to 13.7.5. The issue allows an app to access protected user data, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.

A remote attacker with no privileges can exploit this vulnerability over the network without user interaction. Successful exploitation enables the attacker to gain high-impact access to protected user data, potentially compromising confidentiality, integrity, and availability through the symlink mishandling mechanism.

Apple's security advisories detail the fix as improved symlink handling in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Practitioners should apply these updates promptly, as referenced in Apple support documents (e.g., https://support.apple.com/en-us/122373) and Full Disclosure mailing list postings from April 2025.

Details

CWE(s): CWE-200

Affected Products

apple

macos

13.0 — 13.7.5 · 14.0 — 14.7.5 · 15.0 — 15.4

CVEs Like This One

CVE-2025-24246Same product: Apple Macos

CVE-2025-24146Same product: Apple Macos

CVE-2025-30424Same product: Apple Macos

CVE-2025-24263Same product: Apple Macos

CVE-2025-24204Same product: Apple Macos

CVE-2025-24109Same product: Apple Macos

CVE-2025-24232Same product: Apple Macos

CVE-2025-43189Same product: Apple Macos

CVE-2025-24250Same product: Apple Macos

CVE-2025-24174Same product: Apple Macos

References

https://support.apple.com/en-us/122373
Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122374
Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122375
Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/10
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/9
af854a3a-2127-422b-91ae-364da2661108