Cyber Resilience

CVE-2025-43257

High

Published: 02 April 2026

Published
02 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0018 7.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-43257 is a high-severity Link Following (CWE-59) vulnerability in Apple Macos. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Deeper analysis

CVE-2025-43257 is a vulnerability stemming from improper handling of symlinks, classified under CWE-59. It affects macOS Sequoia versions prior to 15.6, where a sandboxed app can potentially escape its containment.

The vulnerability has a CVSS v3.1 base score of 8.7 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating exploitation requires local access, low privileges, low complexity, and no user interaction. A malicious app running within a sandbox can leverage this flaw to break out, achieving high impacts on confidentiality and integrity across the system's scope, with a low impact on availability.

Apple's advisory confirms the issue was fixed in macOS Sequoia 15.6 via improved symlink handling. Practitioners should apply this update promptly; see https://support.apple.com/en-us/124149 for full details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.6. An app may be able to break out of its sandbox.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct sandbox escape via symlink mishandling enables local exploitation for privilege escalation from a low-privileged sandboxed context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20610Same product: Apple Macos
CVE-2025-30457Same product: Apple Macos
CVE-2025-24195Same product: Apple Macos
CVE-2026-28925Same product: Apple Macos
CVE-2025-24228Same product: Apple Macos
CVE-2025-30464Same product: Apple Macos
CVE-2026-28891Same product: Apple Macos
CVE-2026-28817Same product: Apple Macos
CVE-2025-30449Same product: Apple Macos
CVE-2026-28919Same product: Apple Macos

Affected Assets

apple
macos
≤ 15.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the improper symlink handling flaw fixed in macOS 15.6.

prevent

Enforces sandbox containment through software isolation and policy mechanisms that address symlink-based breakout attempts by malicious apps.

prevent

Implements a tamper-proof reference monitor for the sandbox to mediate all access decisions, preventing symlink traversal exploits.

References