Cyber Resilience

CVE-2025-43237

Critical

Published: 30 July 2025

Published
30 July 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 64.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43237 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-43237 is an out-of-bounds write vulnerability (CWE-787) addressed through improved bounds checking in macOS. It affects versions prior to macOS Sequoia 15.6, where an app may be able to cause unexpected system termination. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote, unauthenticated attacker can exploit this issue over the network to achieve high impacts on confidentiality, integrity, and availability, including the potential for unexpected system termination via a malicious app.

Apple's advisory confirms the issue is fixed in macOS Sequoia 15.6. Additional details are available in the Apple support document at https://support.apple.com/en-us/124149 and the Full Disclosure mailing list entry at http://seclists.org/fulldisclosure/2025/Jul/32.

EU & UK References

Vulnerability details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6. An app may be able to cause unexpected system termination.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Out-of-bounds write with AV:N/PR:N allows unauthenticated remote exploitation of a macOS service, directly enabling T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30464Same product: Apple Macos
CVE-2025-24247Same product: Apple Macos
CVE-2026-28825Same product: Apple Macos
CVE-2025-30437Same product: Apple Macos
CVE-2025-24260Same product: Apple Macos
CVE-2025-43219Same product: Apple Macos
CVE-2025-24231Same product: Apple Macos
CVE-2025-24139Same product: Apple Macos
CVE-2024-54509Same product: Apple Macos
CVE-2025-24273Same product: Apple Macos

Affected Assets

apple
macos
≤ 15.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and patching of flaws like this out-of-bounds write vulnerability fixed in macOS Sequoia 15.6.

prevent

SI-10 requires input validation including bounds checking to directly prevent exploitation of the out-of-bounds write (CWE-787).

prevent

SI-16 enforces memory protection mechanisms such as ASLR and DEP to mitigate memory corruption from out-of-bounds writes and limit system termination impacts.

References