CVE-2025-31182

Critical

Published: 31 March 2025

Published

31 March 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 52.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31182 is a critical-severity Missing Authorization (CWE-862) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked in the top 47.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data Destruction (T1485) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing the improper symlink handling that allowed unauthorized file deletions.

AC-25 Reference Monitor good match

prevent

Implements a tamper-proof reference monitor that mediates all access attempts, preventing symlink-based bypasses of access controls.

SC-4 Information in Shared System Resources good match

prevent

Prevents unauthorized information transfer via shared system resources like symlinks, mitigating the vulnerability's exploitation for arbitrary file deletion.

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary file deletion without authorization via symlink mishandling, directly facilitating data destruction (T1485) and indicator removal through file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. An app may be able to…

delete files for which it does not have permission.

Deeper analysisAI

CVE-2025-31182 is a vulnerability involving improper handling of symlinks that allows an app to delete files for which it lacks permission. It affects Apple's operating systems prior to the following versions: iOS and iPadOS before 18.4, macOS Sequoia before 15.4, macOS Sonoma before 14.7.5, macOS Ventura before 13.7.5, tvOS before 18.4, visionOS before 2.4, and watchOS before 11.4. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by a remote attacker with no privileges or user interaction required, typically through a malicious app that leverages flawed symlink handling to access and delete unauthorized files. Attackers can achieve arbitrary file deletion on the affected device, potentially leading to data loss, disruption of system functions, or exposure of sensitive information if critical files are targeted.

Apple's security advisories detail that the issue was addressed through improved symlink handling in the specified patched versions. Relevant updates are documented in support pages such as https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, https://support.apple.com/en-us/122375, and https://support.apple.com/en-us/122376, recommending immediate application of these updates for mitigation.

Details

CWE(s): CWE-862

Affected Products

apple

ipados

≤ 18.4

apple

iphone os

≤ 18.4

apple

macos

≤ 13.7.5 · 14.0 — 14.7.5

apple

tvos

≤ 18.4

apple

visionos

≤ 2.4

CVEs Like This One

CVE-2026-20626Same product: Apple Ipados

CVE-2025-24230Same product: Apple Ipados

CVE-2025-31281Same product: Apple Ipados

CVE-2025-24243Same product: Apple Ipados

CVE-2025-24211Same product: Apple Ipados

CVE-2025-24173Same product: Apple Ipados

CVE-2025-30471Same product: Apple Ipados

CVE-2025-30426Same product: Apple Ipados

CVE-2025-24190Same product: Apple Ipados

CVE-2024-40771Same product: Apple Ipados

References

https://support.apple.com/en-us/122371
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122373
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122374
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122375
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122376
product-security@apple.com
https://support.apple.com/en-us/122377
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122378
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/10
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/11
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/12
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/13
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/4
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/9
af854a3a-2127-422b-91ae-364da2661108