CVE-2025-30465

Critical

Published: 31 March 2025

Published

31 March 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30465 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations and validates permissions to directly prevent the Shortcuts app from accessing normally inaccessible files.

AC-6 Least Privilege partial match

prevent

Applies least privilege to limit the Shortcuts app's access to only necessary resources, mitigating unauthorized file access even if validation is bypassed.

SC-39 Process Isolation partial match

prevent

Maintains process isolation for Shortcuts app executions, containing permission bypasses and restricting unauthorized file access within isolated domains.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side permissions bypass in the Shortcuts app allowing malicious shortcuts to access normally restricted files, directly mapping to T1203 (Exploitation for Client Execution) for remote exploitation of the app and T1005 (Data from Local System) for the resulting unauthorized file access and potential exfiltration.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

A permissions issue was addressed with improved validation. This issue is fixed in iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sequoia 15.7.2, macOS Sonoma 14.7.5, macOS Sonoma 14.8.2, macOS Tahoe 26.1, macOS Ventura 13.7.5. A shortcut may be able to access…

files that are normally inaccessible to the Shortcuts app.

Deeper analysisAI

CVE-2025-30465 is a permissions vulnerability (CWE-276) in Apple's Shortcuts app, stemming from insufficient validation that allows a shortcut to access files normally inaccessible to the app. It affects iPadOS and macOS systems prior to the following fixed releases: iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sequoia 15.7.2, macOS Sonoma 14.7.5, macOS Sonoma 14.8.2, macOS Tahoe 26.1, and macOS Ventura 13.7.5. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability over a network with low complexity. By leveraging a malicious shortcut, attackers can gain unauthorized access to sensitive files, potentially enabling data exfiltration, modification, or disruption of system resources.

Apple's security advisories detail the fix through improved permissions validation and recommend updating to the patched versions listed above. Relevant support pages include https://support.apple.com/en-us/122372, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, https://support.apple.com/en-us/122375, and https://support.apple.com/en-us/125634.

Details

CWE(s): CWE-276

Affected Products

apple

ipados

≤ 17.7.6

apple

macos

≤ 13.7.5 · 14.0 — 14.7.5 · 15.0 — 15.4

CVEs Like This One

CVE-2025-43222Same product: Apple Ipados

CVE-2025-24267Same product: Apple Macos

CVE-2025-24277Same product: Apple Macos

CVE-2025-31279Same product: Apple Ipados

CVE-2025-24118Same product: Apple Ipados

CVE-2025-24238Same product: Apple Ipados

CVE-2025-24234Same product: Apple Macos

CVE-2025-24170Same product: Apple Macos

CVE-2025-24102Same product: Apple Ipados

CVE-2025-24207Same product: Apple Macos

References

https://support.apple.com/en-us/122372
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122373
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122374
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122375
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/125634
product-security@apple.com
https://support.apple.com/en-us/125635
product-security@apple.com
https://support.apple.com/en-us/125636
product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/10
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/5
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/9
af854a3a-2127-422b-91ae-364da2661108