Skip to main content

Apple macOS CVE-2025-43278

| EUVDEUVD-2025-210111 MEDIUM
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-06-11 apple GHSA-gwqw-93fq-pw78
5.5
CVSS 3.1 · Vendor: apple
Share

Severity by source

Vendor (apple) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

Local attack via malicious app with no special privileges, but requires user to run the app (UI:R); only confidentiality impact as symlink following exposes data without modification.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apple).

CVSS VectorVendor: apple

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 12, 2026 - 22:24 vuln.today
CVSS changed
Jun 12, 2026 - 22:22 NVD
5.5 (MEDIUM)
Patch available
Jun 11, 2026 - 20:01 EUVD
CVE Published
Jun 11, 2026 - 18:47 cve.org
MEDIUM 5.5
CVE Published
Jun 11, 2026 - 18:47 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.

AnalysisAI

Symlink-following vulnerability in Apple macOS prior to 15.4 allows a malicious locally-installed application to access protected user data by exploiting improper handling of UNIX symbolic links. Affected systems are all macOS versions below Sequoia 15.4, per CPE cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*. No public exploit or active exploitation has been identified; the EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Apple has issued a fix in macOS Sequoia 15.4.

Technical ContextAI

The root cause is CWE-61 (UNIX Symbolic Link Following), a class of vulnerability where a privileged or trusted process follows a symlink crafted by a lower-privileged entity, thereby operating on a file outside the intended directory boundary. On macOS, protected user data (such as contacts, photos, calendars, or location data) is guarded by the Transparency Consent and Control (TCC) framework, which enforces per-app entitlement checks. If an application can substitute a symlink in place of an expected file path before a TCC-governed operation resolves it, it may cause the OS to dereference the symlink and expose data the calling app would not normally be permitted to read. The affected product per CPE is Apple macOS across all versions prior to 15.4 (cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*).

RemediationAI

Vendor-released patch: macOS Sequoia 15.4. Users should update via System Settings > General > Software Update. The Apple security advisory at https://support.apple.com/en-us/122373 provides authoritative guidance. As a compensating control prior to patching, organizations can restrict installation of untrusted or unnotarized applications via macOS Gatekeeper and MDM policies (e.g., set allowedApplications or require App Store-only sources), which reduces the likelihood of a malicious app reaching execution. This has the trade-off of blocking legitimate third-party software. Restricting TCC database write permissions via MDM profiles to specific trusted apps can further reduce the blast radius. No patch-free mitigation fully eliminates the vulnerability; upgrading to 15.4 is the definitive fix.

Share

CVE-2025-43278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy