Description
This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, watchOS 11.4. A download's origin may be incorrectly associated.
Published: 2025-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential remote or local code execution through an incorrectly associated download origin
Action: Patch immediately
AI Analysis

Impact

An Apple software flaw allows a download’s origin to be incorrectly associated, meaning a file obtained from a malicious source could be treated as if it came from a trusted domain or application. The vulnerability originates from the way state is handled during download completion, and the lack of proper origin verification means a malicious file could be executed with the privileges of the user’s context. Because the flaw can lead to arbitrary code execution, it poses a significant threat to confidentiality, integrity, and availability of the affected systems.

Affected Systems

Apple’s browsers and operating systems are impacted: Safari (up to 18.3), iOS and iPadOS (prior to 18.4), macOS Sequoia (pre‑15.4), and watchOS (pre‑11.4). The issue is documented as fixed in Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, and watchOS 11.4. System administrators should verify that all Apple products are running one of the patched releases or newer.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. The EPSS score of less than 1% suggests that, at present, the probability of active exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the attack vector is likely a web‑based or download‑based scenario where an attacker provides a file that appears to originate from a trusted source, enabling privilege escalation or data compromise if the file is executed.

Generated by OpenCVE AI on April 28, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade every Apple product to a version that includes the patch: Safari 18.4 or later, iOS 18.4 / iPadOS 18.4, macOS 15.4 or newer, and watchOS 11.4 or newer.
  • Enable or enforce file origin verification such as the built‑in quarantine functionality that checks the download source before execution.
  • Run an updated anti‑virus or endpoint protection solution that scans all downloaded files for malicious code before they are opened.

Generated by OpenCVE AI on April 28, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9012 This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A download's origin may be incorrectly associated.
History

Tue, 28 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Improper Download Origin Association in Apple Mobile and Desktop Platforms
Weaknesses CWE-295

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A download's origin may be incorrectly associated. This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, watchOS 11.4. A download's origin may be incorrectly associated.
References

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple safari
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple safari

Tue, 01 Apr 2025 04:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A download's origin may be incorrectly associated.
References

Subscriptions

Apple Ipados Iphone Os Safari
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:27:22.867Z

Reserved: 2025-01-17T00:00:44.989Z

Link: CVE-2025-24167

cve-icon Vulnrichment

Updated: 2025-11-03T21:05:51.973Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:16.583

Modified: 2026-04-02T19:19:10.893

Link: CVE-2025-24167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses