CVE-2025-43257

High

Published: 02 April 2026

Published

02 April 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0001 3.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43257 is a high-severity Link Following (CWE-59) vulnerability in Apple Macos. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the improper symlink handling flaw fixed in macOS 15.6.

SC-50 Software-enforced Separation and Policy Enforcement good match

prevent

Enforces sandbox containment through software isolation and policy mechanisms that address symlink-based breakout attempts by malicious apps.

AC-25 Reference Monitor good match

prevent

Implements a tamper-proof reference monitor for the sandbox to mediate all access decisions, preventing symlink traversal exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct sandbox escape via symlink mishandling enables local exploitation for privilege escalation from a low-privileged sandboxed context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.6. An app may be able to break out of its sandbox.

Deeper analysisAI

CVE-2025-43257 is a vulnerability stemming from improper handling of symlinks, classified under CWE-59. It affects macOS Sequoia versions prior to 15.6, where a sandboxed app can potentially escape its containment.

The vulnerability has a CVSS v3.1 base score of 8.7 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating exploitation requires local access, low privileges, low complexity, and no user interaction. A malicious app running within a sandbox can leverage this flaw to break out, achieving high impacts on confidentiality and integrity across the system's scope, with a low impact on availability.

Apple's advisory confirms the issue was fixed in macOS Sequoia 15.6 via improved symlink handling. Practitioners should apply this update promptly; see https://support.apple.com/en-us/124149 for full details.

Details

CWE(s): CWE-59

Affected Products

apple

macos

≤ 15.6

CVEs Like This One

CVE-2026-20610Same product: Apple Macos

CVE-2025-30457Same product: Apple Macos

CVE-2025-24267Same product: Apple Macos

CVE-2026-28817Same product: Apple Macos

CVE-2025-24277Same product: Apple Macos

CVE-2025-24234Same product: Apple Macos

CVE-2025-24255Same product: Apple Macos

CVE-2025-24170Same product: Apple Macos

CVE-2025-24228Same product: Apple Macos

CVE-2026-20658Same product: Apple Macos

References

https://support.apple.com/en-us/124149
Release Notes, Vendor Advisory · product-security@apple.com