Skip to main content

Apple macOS CVE-2025-30459

| EUVDEUVD-2025-210115 MEDIUM
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2026-06-11 apple GHSA-mxv9-646f-j7qv
5.5
CVSS 3.1 · Vendor: apple
Share

Severity by source

Vendor (apple) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

Local delivery via installed app with low user privileges; only confidentiality impacted as data is read but not modified or disrupted.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apple).

CVSS VectorVendor: apple

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 21:36 vuln.today
CVSS changed
Jun 11, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
Jun 11, 2026 - 20:01 EUVD
CVE Published
Jun 11, 2026 - 18:47 cve.org
MEDIUM 5.5
CVE Published
Jun 11, 2026 - 18:47 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.

AnalysisAI

Unauthorized sensitive user data access in Apple macOS prior to Sequoia 15.4 allows a locally installed app to read private user information due to the presence of vulnerable code that has since been removed. The flaw is classified under CWE-359 (Exposure of Private Personal Information), indicating an API or code path exposed protected data to apps without proper entitlement or permission checks. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; SSVC assesses exploitation as none and technical impact as partial.

Technical ContextAI

The vulnerability is rooted in CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor - meaning macOS contained code that permitted an application to access sensitive user data (such as contacts, location, photos, health records, or similar privacy-protected resources) beyond its intended entitlement boundary. Apple's advisory notes the fix was applied by removing the vulnerable code entirely, suggesting the exposure was tied to a specific, isolatable code path rather than a logic flaw requiring redesign. The affected product per CPE is cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*, covering macOS versions below 15.4 in the Sequoia release line. The local attack vector (AV:L) and low-privilege requirement (PR:L) in the CVSS vector are consistent with an on-device application exploiting a permissive API without needing elevated system rights.

RemediationAI

Vendor-released patch: macOS Sequoia 15.4. Update immediately via System Settings > General > Software Update. Apple's security advisory is available at https://support.apple.com/en-us/122373. For systems that cannot immediately update, the primary compensating control is to restrict installation of untrusted or third-party applications using macOS Gatekeeper and MDM-enforced allowlisting - note this does not eliminate risk from previously installed apps or apps from the App Store that may leverage the vulnerable path. Organizations managing fleets should prioritize macOS 15.4 deployment via MDM (e.g., Jamf, Mosyle) given the low complexity of exploitation once an app is present on the device. No workaround that neutralizes the underlying code path is feasible without the patch.

Share

CVE-2025-30459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy