Description
The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code.
Published: 2025-11-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Do Patch
AI Analysis

Impact

The vulnerability exists in Apple Compressor because the service accepts external connections without authentication. When enabled, an unauthenticated user on the same network can send crafted requests that cause the Compressor process to execute arbitrary code, potentially allowing full control of the impacted machine. The weakness corresponds to improper access control (CWE‑284).

Affected Systems

Apple Compressor, versions prior to 4.11.1, running on any supported platform where external networking is enabled. All machines that expose the Compressor service to local network traffic are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity flaw, yet the EPSS score is less than 1%, suggesting low current exploitation activity. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is a local network attacker without authentication, with the necessary precondition of the Compressor service accepting external connections. Exploitation therefore requires the attacker to be on the same subnet and to reach the service endpoint.

Generated by OpenCVE AI on April 22, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apple Compressor to version 4.11.1 or later
  • Configure firewalls or network segmentation to block inbound traffic to the Compressor service port
  • Disable or restrict external connections in Compressor configuration to reduce exposure if an upgrade is not immediately possible

Generated by OpenCVE AI on April 22, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Title Apple Compressor Remote Code Execution via External Connections

Mon, 17 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apple:compressor:*:*:*:*:*:*:*:*

Fri, 14 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple compressor
Vendors & Products Apple
Apple compressor

Fri, 14 Nov 2025 04:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code.
References

Subscriptions

Apple Compressor
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:23:48.331Z

Reserved: 2025-04-16T15:27:21.196Z

Link: CVE-2025-43515

cve-icon Vulnrichment

Updated: 2025-11-14T03:23:36.019Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-13T19:15:47.907

Modified: 2025-11-17T19:21:44.987

Link: CVE-2025-43515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses