CRITICAL🇵🇱 Wersja polska

CVE-2025-24207

CVSS 9.8v3.1pub. 2025-03-31upd. 2026-04-02

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to enable iCloud storage features without user consent.

🤖 AI Analysis
How it works

The vulnerability results from insufficient restrictions (CWE-276 — improper default permissions) in the macOS access control mechanism. An application can exploit this flaw to independently activate iCloud features without requiring user interaction or elevated privileges. Apple fixed the issue by introducing additional restrictions in permission handling.

Impact

An attacker or malicious application can enable iCloud data storage features without the user's knowledge, which may lead to unintended transmission of private data to the cloud and compromise user control over their privacy and data.

Mitigation & patch

Update the system to macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5 according to information published by Apple at support.apple.com/en-us/122373, /122374, and /122375

Who is affected

Apple macOS Sequoia before version 15.4, macOS Sonoma before version 14.7.5, macOS Ventura before version 13.7.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple macOS

    OS
    Apple
    13.0 – 13.7.5 (bez)14.0 – 14.7.5 (bez)15.0 – 15.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki