Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Local delivery via installed app with low user privileges; only confidentiality impacted as data is read but not modified or disrupted.
Primary rating from Vendor (apple).
CVSS VectorVendor: apple
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.
AnalysisAI
Unauthorized sensitive user data access in Apple macOS prior to Sequoia 15.4 allows a locally installed app to read private user information due to the presence of vulnerable code that has since been removed. The flaw is classified under CWE-359 (Exposure of Private Personal Information), indicating an API or code path exposed protected data to apps without proper entitlement or permission checks. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; SSVC assesses exploitation as none and technical impact as partial.
Technical ContextAI
The vulnerability is rooted in CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor - meaning macOS contained code that permitted an application to access sensitive user data (such as contacts, location, photos, health records, or similar privacy-protected resources) beyond its intended entitlement boundary. Apple's advisory notes the fix was applied by removing the vulnerable code entirely, suggesting the exposure was tied to a specific, isolatable code path rather than a logic flaw requiring redesign. The affected product per CPE is cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*, covering macOS versions below 15.4 in the Sequoia release line. The local attack vector (AV:L) and low-privilege requirement (PR:L) in the CVSS vector are consistent with an on-device application exploiting a permissive API without needing elevated system rights.
RemediationAI
Vendor-released patch: macOS Sequoia 15.4. Update immediately via System Settings > General > Software Update. Apple's security advisory is available at https://support.apple.com/en-us/122373. For systems that cannot immediately update, the primary compensating control is to restrict installation of untrusted or third-party applications using macOS Gatekeeper and MDM-enforced allowlisting - note this does not eliminate risk from previously installed apps or apps from the App Store that may leverage the vulnerable path. Organizations managing fleets should prioritize macOS 15.4 deployment via MDM (e.g., Jamf, Mosyle) given the low complexity of exploitation once an app is present on the device. No workaround that neutralizes the underlying code path is feasible without the patch.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210115
GHSA-mxv9-646f-j7qv