The logging subsystem in Absolute Software Secure Access for MacOS prior to version 14.50 contains a format string vulnerability that allows a malicious server to craft log messages that force the client to output arbitrary memory contents to its log files. The disclosed memory may include sensitive data such as credentials or cryptographic material, representing a partial data leakage risk. This issue also qualifies as an information exposure vulnerability (CWE‑200), since it can reveal confidential information through the log output.

Vulnerable builds are any Secure Access client for MacOS running a version earlier than 14.50 provided by Absolute Software. Only the MacOS client is affected, and no other operating systems or products are listed.

The CVSS score of 4.8 classifies the issue as "Low" severity. The EPSS score is 0.00014 (less than 1%), indicating a very low likelihood of exploitation, and the vulnerability is not listed in CISA's KEV catalog. An attacker must control a server that the client connects to, which is typically a remote operation. If the client is configured to communicate with untrusted or malicious servers, the risk escalates, but overall exploitation remains moderate and driven by the availability of a compromised server.