CVE-2025-24239 - Vulnerability Details

- App Access to Protected User Data via Downgrade Issue

Description

A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.

Published: 2025-03-31

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A downgrade issue in macOS allowed an application to bypass newly implemented code‑signing restrictions, potentially granting the app access to user data that is normally protected. The vulnerability is mitigated in macOS Sequoia 15.4, and the description states that an app may be able to read protected data after exploitation. While the CVSS score of 6.5 indicates moderate severity, the EPSS is below 1%, meaning that active exploitation is currently rare but not impossible.

Affected Systems

The issue affects macOS overall, with the fix applied in macOS Sequoia 15.4. No specific sub‑versions are listed beyond the mention of Sequoia 15.4, so any earlier releases that did not include the additional code‑signing restrictions are considered vulnerable.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the medium severity range. The EPSS score of less than 1% suggests an extremely low probability of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. Inference based on the description points to a downgrade attack vector, where an attacker installs an older version of an application that does not comply with the updated signing requirements. Exploitation would allow the app to read protected user data, compromising confidentiality. The overall risk is moderate, but mitigation is recommended to prevent potential data exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 15.4

Configuration 1 [-]

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install macOS Sequoia 15.4 or later to apply the code‑signing restrictions added to the operating system.
Update all installed applications to the latest signed releases to eliminate any lingering downgrade paths.
Audit user‑level permissions for applications with elevated privileges, ensuring that only trusted apps have rights to access protected data.

Generated by OpenCVE AI on April 28, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8956	A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00259.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://seclists.org/fulldisclosure/2025/Apr/8
https://support.apple.com/en-us/122373

History

Tue, 28 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title		App Access to Protected User Data via Downgrade Issue

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Apr/8

Fri, 04 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos
CPEs		cpe:2.3:o:apple:macos::::::::
Vendors & Products		Apple Apple macos

Tue, 01 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 01 Apr 2025 05:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
References		https://support.apple.com/en-us/122373

Subscriptions

Apple Macos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-03-31T22:24:11.191Z

Updated: 2026-04-02T18:25:07.527Z

Reserved: 2025-01-17T00:00:45.007Z

Link: CVE-2025-24239

Vulnrichment

Updated: 2025-11-03T21:10:10.508Z

NVD

Status : Modified

Published: 2025-03-31T23:15:21.157

Modified: 2025-11-03T22:18:34.777

Link: CVE-2025-24239

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object