Cyber Resilience

CVE-2025-24254

High

Published: 31 March 2025

Published
31 March 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24254 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Apple Macos. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-24254 is a privilege escalation vulnerability stemming from inadequate validation of symbolic links in macOS. It affects macOS Sequoia prior to version 15.4, macOS Sonoma prior to 14.7.5, and macOS Ventura prior to 13.7.5. The issue, classified under CWE-269 (Improper Privilege Management), received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) upon its publication on March 31, 2025.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to gain elevated privileges, potentially resulting in high confidentiality, integrity, and availability impacts on the affected system.

Apple's security advisories detail the fix as improved symlink validation, with patches available in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Additional details appear in support documents at https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, and https://support.apple.com/en-us/122375, alongside full disclosure discussions on seclists.org from early April 2025.

EU & UK References

Vulnerability details

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A user may be able to elevate privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a privilege escalation vulnerability in macOS due to inadequate symbolic link validation (CWE-269), directly enabling T1068 Exploitation for Privilege Escalation by allowing low-privileged authenticated users to gain elevated access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28840Same product: Apple Macos
CVE-2025-43199Same product: Apple Macos
CVE-2026-28919Same product: Apple Macos
CVE-2024-44250Same product: Apple Macos
CVE-2026-28976Same product: Apple Macos
CVE-2024-54509Same product: Apple Macos
CVE-2025-24176Same product: Apple Macos
CVE-2025-24267Same product: Apple Macos
CVE-2025-43306Same product: Apple Macos
CVE-2026-20658Same product: Apple Macos

Affected Assets

apple
macos
13.0 — 13.7.5 · 14.0 — 14.7.5 · 15.0 — 15.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses inadequate symlink validation by requiring checks on filesystem inputs like symlinks to prevent privilege escalation.

prevent

Implements a reference monitor that mediates all resource accesses, including symlinks, enforcing proper validation to block unauthorized privilege elevation.

prevent

Enforces least privilege to restrict low-privileged users from elevating rights via symlink exploitation in macOS.

References