Description
This issue was addressed by adding a delay between verification code attempts. This issue is fixed in macOS Sequoia 15.4. A malicious app may be able to access a user's saved passwords.
Published: 2025-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Saved Passwords
Action: Patch
AI Analysis

Impact

The vulnerability stems from a missing delay enforcement between verification code attempts in macOS Keychain, which fails to restrict rapid successive queries. Because proper authorization checks (CWE‑862) are not applied, a malicious program can read a user’s stored passwords without any additional authentication. The description explicitly states that a malicious app may access saved passwords, and based on this, it is inferred that the lack of a delay permits repeated keychain reads that expose sensitive credentials.

Affected Systems

Apple macOS, all releases older than Sequoia 15.4. The fix is delivered in Sequoia 15.4; any macOS version that has not received this update remains vulnerable.

Risk and Exploitability

The CVSS score of 9.8 places the flaw in the Critical range, while the EPSS score of less than 1% indicates a low current likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need local execution of a malicious application, as implied by the requirement for a malicious app to access Keychain data. Once executed, the app can read stored passwords without authentication, underscoring the importance of applying the vendor patch.

Generated by OpenCVE AI on April 28, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install macOS Sequoia 15.4 or later to apply the vendor patch that enforces the required delay.
  • Enable Gatekeeper to permit applications only from the Mac App Store or identified developers, reducing the likelihood that a malicious app can be installed.
  • Configure System Preferences → Security & Privacy → General to require a password immediately after sleep or screen saver to limit exposure windows.

Generated by OpenCVE AI on April 28, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8966 This issue was addressed by adding a delay between verification code attempts. This issue is fixed in macOS Sequoia 15.4. A malicious app may be able to access a user's saved passwords.
History

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title macOS Keychain Delay Bypass Exposes Saved Passwords

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed by adding a delay between verification code attempts. This issue is fixed in macOS Sequoia 15.4. A malicious app may be able to access a user's saved passwords.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:17:37.751Z

Reserved: 2025-01-17T00:00:45.009Z

Link: CVE-2025-24245

cve-icon Vulnrichment

Updated: 2025-11-03T21:10:42.514Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:21.720

Modified: 2025-11-03T22:18:35.687

Link: CVE-2025-24245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:00:13Z

Weaknesses