CVE-2025-30462

Critical

Published: 31 March 2025

Published

31 March 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30462 is a critical-severity Improper Access Control (CWE-284) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-39 (Process Isolation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and application of patches that fix the library injection vulnerability in macOS.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent apps from bypassing App Sandbox restrictions through unauthorized library injection.

SC-39 Process Isolation good match

prevent

Maintains process isolation via sandboxing to block execution without restrictions despite apparent sandbox usage.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

T1574.004 Dylib Hijacking Stealth

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.

attack.mitre.org →

Why these techniques?

CVE enables library injection by bypassing macOS App Sandbox (improper access control), directly facilitating Dylib Hijacking for code execution, Exploitation for Privilege Escalation to gain elevated access, and Exploitation for Defense Evasion to subvert sandbox protections.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A library injection issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. Apps that appear to use App Sandbox may be able to launch without restrictions.

Deeper analysisAI

CVE-2025-30462 is a library injection vulnerability (CWE-284: Improper Access Control) affecting macOS systems prior to the patched versions. The issue allows apps that appear to use App Sandbox to launch without restrictions, enabling unauthorized bypass of sandbox protections. It was addressed with additional restrictions in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as injecting malicious libraries to evade App Sandbox and gain elevated privileges or execute arbitrary code on targeted macOS systems.

Apple security advisories detail the fix through additional library injection restrictions in the specified macOS updates. Practitioners should apply macOS Sequoia 15.4, Sonoma 14.7.5, or Ventura 13.7.5 immediately. Further details are available in Apple's updates at https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, and https://support.apple.com/en-us/122375, along with full disclosure notes at http://seclists.org/fulldisclosure/2025/Apr/10 and http://seclists.org/fulldisclosure/2025/Apr/8.

Details

CWE(s): CWE-284

Affected Products

apple

macos

≤ 13.7.5 · 14.0 — 14.7.5 · 15.0 — 15.4

CVEs Like This One

CVE-2025-43198Same product: Apple Macos

CVE-2025-24241Same product: Apple Macos

CVE-2025-24229Same product: Apple Macos

CVE-2026-20622Same product: Apple Macos

CVE-2025-43192Same product: Apple Macos

CVE-2025-43194Same product: Apple Macos

CVE-2025-43184Same product: Apple Macos

CVE-2026-28837Same product: Apple Macos

CVE-2025-43232Same product: Apple Macos

CVE-2025-30460Same product: Apple Macos

References

https://support.apple.com/en-us/122373
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122374
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122375
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/10
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/9
af854a3a-2127-422b-91ae-364da2661108