CVE-2025-31194

Critical

Published: 31 March 2025

Published

31 March 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31194 is a critical-severity Missing Authorization (CWE-862) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent Shortcuts from executing with unnecessary administrative privileges without authentication, directly mitigating the privilege escalation vulnerability.

AC-3 Access Enforcement good match

prevent

Requires enforcement of approved authorizations, addressing the improper state management that allowed unauthorized access to administrative functions in Shortcuts.

AC-14 Permitted Actions Without Identification or Authentication partial match

prevent

Defines and limits specific actions permissible without identification or authentication, preventing administrative Shortcut execution without proper checks.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote unauthenticated exploitation over the network to execute Shortcuts with administrative privileges without authorization, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation) to achieve full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A Shortcut may run with admin privileges without authentication.

Deeper analysisAI

CVE-2025-31194 is an authentication vulnerability caused by improper state management, affecting the Shortcuts feature in macOS. This flaw allows a Shortcut to execute with administrative privileges without requiring authentication. The issue impacts macOS Sequoia versions prior to 15.4, macOS Sonoma prior to 14.7.5, and macOS Ventura prior to 13.7.5. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables the attacker to run a Shortcut with admin privileges, achieving high impacts on confidentiality, integrity, and availability, which could result in full system compromise.

Apple advisories indicate the issue was fixed with improved state management in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Security practitioners should apply these updates promptly, with further details available in the referenced Apple support pages and Full Disclosure mailing list postings.

Details

CWE(s): CWE-862

Affected Products

apple

macos

≤ 13.7.5 · 14.0 — 14.7.5 · 15.0 — 15.4

CVEs Like This One

CVE-2025-24245Same product: Apple Macos

CVE-2025-24259Same product: Apple Macos

CVE-2025-24249Same product: Apple Macos

CVE-2025-24181Same product: Apple Macos

CVE-2025-30461Same product: Apple Macos

CVE-2025-24256Same product: Apple Macos

CVE-2025-24267Same product: Apple Macos

CVE-2026-28817Same product: Apple Macos

CVE-2025-24277Same product: Apple Macos

CVE-2025-43193Same product: Apple Macos

References

https://support.apple.com/en-us/122373
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122374
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/122375
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Apr/10
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/8
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Apr/9
af854a3a-2127-422b-91ae-364da2661108