Cyber Resilience

CVE-2025-43184

Critical

Published: 30 July 2025

Published
30 July 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43184 is a critical-severity Improper Access Control (CWE-284) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 36.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-43184 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting the Shortcuts app on macOS systems, classified under CWE-284 (Improper Access Control). It allows a malicious shortcut to bypass sensitive Shortcuts app settings, enabling unauthorized access or actions that would normally be restricted. The flaw impacts macOS versions prior to Sequoia 15.4, Sonoma 14.7.7, and Ventura 13.7.7.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). By delivering a specially crafted shortcut—potentially via email, messaging, or web download—an attacker could bypass app protections, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). This could lead to unauthorized data access, modification of system settings, or execution of harmful actions through the Shortcuts automation framework.

Apple's security advisories detail the fix, implemented by adding an additional prompt for user consent before sensitive operations. The issue is patched in macOS Sequoia 15.4, Sonoma 14.7.7, and Ventura 13.7.7; users should update immediately. Further details are available in Apple support documents at https://support.apple.com/en-us/122373, https://support.apple.com/en-us/124150, and https://support.apple.com/en-us/124151, along with Full Disclosure mailing list entries at http://seclists.org/fulldisclosure/2025/Jul/33 and http://seclists.org/fulldisclosure/2025/Jul/34.

EU & UK References

Vulnerability details

This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A shortcut may be able to bypass sensitive Shortcuts app settings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1548.006 TCC Manipulation Privilege Escalation
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions.
Why these techniques?

Bypass of Shortcuts app consent controls enables unauthorized automation actions (Unix shell via shortcuts) and TCC manipulation on macOS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43232Same product: Apple Macos
CVE-2025-30460Same product: Apple Macos
CVE-2024-40858Same product: Apple Macos
CVE-2025-24241Same product: Apple Macos
CVE-2024-44303Same product: Apple Macos
CVE-2026-28837Same product: Apple Macos
CVE-2025-43233Same product: Apple Macos
CVE-2026-20622Same product: Apple Macos
CVE-2025-30462Same product: Apple Macos
CVE-2025-43198Same product: Apple Macos

Affected Assets

apple
macos
≤ 13.7.7 · 14.0 — 14.7.7 · 15.0 — 15.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing malicious shortcuts from bypassing sensitive Shortcuts app settings.

prevent

AC-6 applies least privilege to restrict shortcut processes to only necessary permissions, mitigating unauthorized actions enabled by the access control bypass.

prevent

IA-11 requires re-authentication for sensitive operations via user consent prompts, matching the CVE fix that added an extra prompt to block unauthorized shortcut execution.

References