CVE-2025-5199

HIGH
2025-07-12 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 08:56 vuln.today
Patch Released
Mar 16, 2026 - 08:56 nvd
Patch available
PoC Detected
Aug 26, 2025 - 18:37 vuln.today
Public exploit code
CVE Published
Jul 12, 2025 - 00:15 nvd
HIGH 7.3

Tags

Apple Privilege Escalation Multipass macOS

Description

In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup.

Analysis

CVE-2025-5199 is a local privilege escalation vulnerability in Canonical Multipass up to version 1.15.1 on macOS, where incorrect default file permissions on a Launch Daemon allow an authenticated local attacker to modify files executed with administrative privileges during system startup. An attacker with local user access can escalate to root/administrator level through file manipulation, presenting a high-impact privilege escalation risk on affected macOS systems.

Technical Context

The vulnerability stems from CWE-276 (Incorrect Default Permissions), a classic file permission misconfiguration issue. Canonical Multipass is a lightweight VM manager that uses Launch Daemons on macOS (system-level services that run at startup with elevated privileges). The root cause is that files executed by the Launch Daemon are writable by non-privileged local users due to overly permissive default file permissions. When the daemon executes these world-writable or group-writable files during system initialization, an attacker can pre-emptively modify them to inject malicious code that runs in the daemon's privileged context. This affects CPE: cpe:2.7:a:canonical:multipass:*:*:*:*:*:macos:*:* (versions ≤1.15.1). The vulnerability is specific to macOS implementations of Multipass and does not affect Linux or Windows variants.

Affected Products

Canonical Multipass (≤1.15.1)

Remediation

1. **Immediate Patch**: Upgrade Canonical Multipass to version 1.16.0 or later on macOS systems. 2. **Manual Permission Hardening** (if immediate upgrade is not possible): Audit and correct permissions on Multipass-related Launch Daemon files and associated binaries. Ensure files are owned by root:wheel with permissions 0755 (directories) and 0644 or 0755 (executables), removing world-writable and group-writable bits. 3. **Access Control**: Restrict local user accounts on macOS systems running Multipass; limit administrative group membership. 4. **Monitoring**: Monitor for unauthorized modifications to Multipass daemon files and system startup sequences. Check system logs for failed privilege escalation attempts. 5. **Vendor Advisory**: Consult Canonical's official security advisory and release notes for version 1.16.0+ for detailed remediation guidance and patch applicability across macOS versions.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: +20

Vendor Status

Ubuntu

Priority: High
multipass
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
upstream released 1.16.0

Share

CVE-2025-5199 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy