CVE-2025-30449
Published: 31 March 2025
Summary
CVE-2025-30449 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Principle of least privilege directly prevents applications from escalating to root privileges beyond what is necessary, addressing the core permissions issue in CVE-2025-30449.
Access enforcement implements restrictions on permissions to block unauthorized root privilege gains by apps as exploited in this CVE.
Flaw remediation mandates patching the specific permissions vulnerability fixed in macOS updates for Sequoia 15.4, Sonoma 14.7.5, and Ventura 13.7.5.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a local permissions flaw (CWE-281) that directly allows a malicious app to escalate to root privileges on macOS, matching the definition of T1068 Exploitation for Privilege Escalation.
NVD Description
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to gain root privileges.
Deeper analysisAI
CVE-2025-30449 is a permissions issue, classified under CWE-281, that was addressed by Apple through additional restrictions. The vulnerability affects macOS Sequoia prior to version 15.4, macOS Sonoma prior to 14.7.5, and macOS Ventura prior to 13.7.5. It enables an app to gain root privileges on vulnerable systems.
The vulnerability has a CVSS v3.1 base score of 7.8 (High), with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. A local attacker requires no privileges and can exploit it with low attack complexity, but user interaction is necessary, such as running a malicious app. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability by elevating to root privileges.
Apple's security advisories confirm the issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Mitigation involves updating to these patched versions. Additional details are provided in Apple's support documents at https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, and https://support.apple.com/en-us/122375, as well as Full Disclosure mailing list posts at http://seclists.org/fulldisclosure/2025/Apr/10 and http://seclists.org/fulldisclosure/2025/Apr/8.
Details
- CWE(s)