CVE-2025-43509

MEDIUM
2025-12-12 [email protected]
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 12, 2025 - 21:15 nvd
MEDIUM 5.5

Tags

Apple macOS Information Disclosure

Description

This issue was addressed with improved data protection. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to access sensitive user data.

Analysis

Improper data access control in macOS allows local applications to read sensitive user data without explicit user consent, exploitable through user interaction. The vulnerability affects macOS Sequoia (before 15.7.3), macOS Sonoma (before 14.8.3), and macOS Tahoe (before 26.2). No public exploit code or active exploitation has been identified; EPSS probability is extremely low at 0.01%, indicating minimal real-world attack likelihood despite the moderate CVSS score.

Technical Context

This vulnerability is rooted in CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), reflecting a data protection failure at the operating system level. The underlying issue stems from inadequate access controls or sandbox restrictions that govern inter-process communication and file system permissions on macOS. The affected systems span multiple major macOS versions (Sequoia, Sonoma, and Tahoe), indicating a systemic flaw in how the OS enforces confidentiality boundaries between applications and sensitive user data stores. The fix is categorized as 'improved data protection,' suggesting Apple strengthened either the visibility rules for sensitive data, refined privilege escalation checks, or hardened the app sandbox enforcement mechanisms.

Affected Products

Apple macOS across multiple versions is affected: macOS Sequoia versions before 15.7.3, macOS Sonoma versions before 14.8.3, and macOS Tahoe versions before 26.2. All macOS installations running these affected versions are potentially vulnerable. Detailed information is available in Apple's official security advisories at https://support.apple.com/en-us/125886, https://support.apple.com/en-us/125887, and https://support.apple.com/en-us/125888.

Remediation

Vendor-released patches are available: macOS Sequoia users should update to version 15.7.3 or later, macOS Sonoma users should update to version 14.8.3 or later, and macOS Tahoe users should update to version 26.2 or later. Updates can be obtained through System Settings > General > Software Update on affected systems. No workarounds are documented for systems unable to immediately patch; users should restrict local access to their systems and avoid granting elevated privileges to untrusted applications. Refer to Apple's security advisories at https://support.apple.com/en-us/125886, https://support.apple.com/en-us/125887, and https://support.apple.com/en-us/125888 for comprehensive guidance.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-43509 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy