Skip to main content

macOS Sequoia CVE-2025-31272

| EUVDEUVD-2025-210116 HIGH
Improper Privilege Management (CWE-269)
2026-06-11 apple GHSA-8gvc-mhh7-w4gq
7.8
CVSS 3.1 · Vendor: apple
Share

Severity by source

Vendor (apple) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local privilege escalation requires prior code execution as a standard user (AV:L, PR:L), no user interaction, and yields full system compromise (C/I/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apple).

CVSS VectorVendor: apple

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 21:30 vuln.today
CVSS changed
Jun 11, 2026 - 20:22 NVD
7.8 (HIGH)
Patch available
Jun 11, 2026 - 20:01 EUVD
CVE Published
Jun 11, 2026 - 18:47 cve.org
HIGH 7.8
CVE Published
Jun 11, 2026 - 18:47 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges.

AnalysisAI

Privilege escalation in Apple macOS Sequoia prior to 15.4 allows a locally executing application to bypass launch constraint protections and run malicious code with elevated privileges. The flaw, reported by Apple and tracked as EUVD-2025-210116, carries CVSS 7.8 (local, low complexity, low privileges) and CWE-269 improper privilege management, with no public exploit identified at time of analysis and CISA SSVC marking exploitation status as 'none'.

Technical ContextAI

Launch constraints are a macOS code-signing/integrity mechanism Apple introduced (notably in Ventura and expanded in Sonoma/Sequoia) that restricts which parent processes, paths, and entitlements can launch a given Mach-O binary, hardening LaunchDaemons and system services against being invoked by attacker-controlled processes. The root cause class CWE-269 (Improper Privilege Management) indicates the constraint-enforcement logic failed to fully validate the launch context, letting a process invoke a constrained binary outside its intended trust boundary. The affected CPE cpe:2.3:a:apple:macos covers macOS prior to Sequoia 15.4, where Apple states the issue was addressed with 'improved checks'.

RemediationAI

Vendor-released patch: macOS Sequoia 15.4 - upgrade affected endpoints to 15.4 or later via Software Update, referencing Apple's advisory at https://support.apple.com/en-us/122373. Where immediate upgrade is not possible, compensating controls should focus on the local-attacker prerequisite: restrict installation of unsigned or unnotarized applications by enforcing Gatekeeper at the strictest setting and deploying a Mobile Device Management profile that blocks 'Allow apps from anywhere', monitor with EDR for unexpected child-process launches of system LaunchDaemons or constrained binaries, and reduce standing local-admin rights so that the PR:L precondition is harder to satisfy. Trade-offs: Gatekeeper hardening can break legitimate in-house tooling that is not notarized, and removing admin rights from developer workstations typically requires a privilege-elevation workflow to avoid productivity loss.

Share

CVE-2025-31272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy