Cyber Posture

CVE-2025-31279

Critical

Published: 30 July 2025

Published
30 July 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31279 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to System Information Discovery (T1082). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations and restrictions on app access to user data, directly addressing the permissions issue that enables fingerprinting.

AC-6 Least Privilege good match
prevent

Applies least privilege to apps, preventing excessive permissions that allow unauthorized user fingerprinting as exploited in this CVE.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching to the fixed OS versions that implement additional permissions restrictions.

MITRE ATT&CK Enterprise TechniquesAI

T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
Why these techniques?

Permissions flaw enables unauthorized access to sensitive device/user data, directly facilitating system information discovery by a malicious app.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A permissions issue was addressed with additional restrictions. This issue is fixed in iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to fingerprint the user.

Deeper analysisAI

CVE-2025-31279 is a permissions issue classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), enabling an app to fingerprint the user. It affects iPadOS versions prior to 17.7.9, macOS Sequoia prior to 15.6, macOS Sonoma prior to 14.7.7, and macOS Ventura prior to 13.7.7. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-07-30.

The vulnerability can be exploited remotely over the network with low attack complexity, requiring no privileges, no user interaction, and no change in scope. An attacker can leverage a malicious app to fingerprint the user, resulting in high impacts to confidentiality, integrity, and availability.

Apple advisories indicate the issue was addressed by implementing additional restrictions on permissions. Mitigation requires updating to iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, or macOS Ventura 13.7.7. Further details are provided in Apple support documents at https://support.apple.com/en-us/124148, https://support.apple.com/en-us/124149, https://support.apple.com/en-us/124150, https://support.apple.com/en-us/124151, and http://seclists.org/fulldisclosure/2025/Jul/31.

Details

CWE(s)
CWE-200

Affected Products

apple
ipados
≤ 17.7.9
apple
macos
≤ 13.7.7 · 14.0 — 14.7.7 · 15.0 — 15.6

CVEs Like This One

CVE-2025-24102Same product: Apple Ipados
CVE-2026-20606Same product: Apple Ipados
CVE-2025-43189Same product: Apple Macos
CVE-2025-24109Same product: Apple Macos
CVE-2025-24118Same product: Apple Ipados
CVE-2025-24246Same product: Apple Macos
CVE-2025-30465Same product: Apple Ipados
CVE-2025-24250Same product: Apple Macos
CVE-2025-24146Same product: Apple Macos
CVE-2025-43222Same product: Apple Ipados

References