CVE-2025-24229 - Vulnerability Details

- Sandboxed App May Access Sensitive User Data Due to Logic Issue in macOS

Description

A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A sandboxed app may be able to access sensitive user data.

Published: 2025-03-31

Score: 7.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a logic flaw that allows a sandboxed application to bypass intended access controls and read sensitive user data. This flaw results in an unauthorized disclosure of data and is classified as CWE-284 Improper Access Control. No special user action is required beyond normal app usage.

Affected Systems

The issue affects Apple macOS versions that were released before the update that fixes the logic issue. Specifically, any release prior to macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5 remains vulnerable.

Risk and Exploitability

With a CVSS score of 7.4 the vulnerability carries a high severity rating, while the EPSS score of less than 1% indicates a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a malicious sandboxed application that a user installs, which can then exploit the logic error to access protected data; this inference is based on the description of the vulnerable behavior.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 13.7.5
`0`	affected	< 14.7.5
`0`	affected	< 15.4

Configuration 1 [-]

OR	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade macOS to a version that includes the fixed logic checks, such as Sequoia 15.4, Sonoma 14.7.5 or Ventura 13.7.5.
If an upgrade cannot be performed immediately, limit the installation and execution of new sandboxed applications until the update is applied to reduce the risk of data exposure.
Apply general macOS security hardening practices, including disabling unnecessary services and regularly reviewing system logs, to mitigate potential similar access control issues.

Generated by OpenCVE AI on April 28, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8977	A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A sandboxed app may be able to access sensitive user data.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0033.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://seclists.org/fulldisclosure/2025/Apr/10
http://seclists.org/fulldisclosure/2025/Apr/8
http://seclists.org/fulldisclosure/2025/Apr/9
https://support.apple.com/en-us/122373
https://support.apple.com/en-us/122374
https://support.apple.com/en-us/122375

History

Tue, 28 Apr 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Sandboxed App May Access Sensitive User Data Due to Logic Issue in macOS

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A sandboxed app may be able to access sensitive user data.	A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A sandboxed app may be able to access sensitive user data.

Mon, 03 Nov 2025 21:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Apr/10 http://seclists.org/fulldisclosure/2025/Apr/8 http://seclists.org/fulldisclosure/2025/Apr/9

Mon, 07 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos
CPEs		cpe:2.3:o:apple:macos::::::::
Vendors & Products		Apple Apple macos

Tue, 01 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A sandboxed app may be able to access sensitive user data.
References		https://support.apple.com/en-us/122373 https://support.apple.com/en-us/122374 https://support.apple.com/en-us/122375

Subscriptions

Apple Macos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-03-31T22:23:44.472Z

Updated: 2026-04-02T18:21:47.600Z

Reserved: 2025-01-17T00:00:45.005Z

Link: CVE-2025-24229

Vulnrichment

Updated: 2025-11-03T21:09:19.087Z

NVD

Status : Modified

Published: 2025-03-31T23:15:20.180

Modified: 2026-04-02T19:19:22.743

Link: CVE-2025-24229

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T02:45:11Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object