What is the CVSS score of CVE-2025-5199?

CVE-2025-5199 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Multipass are affected by CVE-2025-5199?

Canonical Multipass on macOS contains a privilege escalation vulnerability that allows local users to gain administrative access by exploiting incorrect file permissions.. A patch is available.

Is there a public PoC exploit available for CVE-2025-5199?

Yes, a public proof-of-concept exploit is available for CVE-2025-5199. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-5199?

Within 24 hours: Inventory all macOS systems running Multipass versions 1.15.1 and earlier; communicate patch availability to affected teams. Within 7 days: Deploy Multipass version 1.15.2 or later across all affected systems; prioritize shared development machines and CI/CD infrastructure. Within 30 days: Complete patch validation and verification across the entire macOS Multipass estate; document patching in change management systems.

Multipass CVE-2025-5199

HIGH

Incorrect Default Permissions (CWE-276)

2025-07-12 security@ubuntu.com

Apple Privilege Escalation Multipass macOS

7.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.3 HIGH

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Ubuntu

HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 08:56 vuln.today

Patch released

Mar 16, 2026 - 08:56 nvd

Patch available

PoC Detected

Aug 26, 2025 - 18:37 vuln.today

Public exploit code

CVE Published

Jul 12, 2025 - 00:15 nvd

HIGH 7.3

DescriptionCVE.org

In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup.

AnalysisAI

CVE-2025-5199 is a local privilege escalation vulnerability in Canonical Multipass up to version 1.15.1 on macOS, where incorrect default file permissions on a Launch Daemon allow an authenticated local attacker to modify files executed with administrative privileges during system startup. An attacker with local user access can escalate to root/administrator level through file manipulation, presenting a high-impact privilege escalation risk on affected macOS systems.

Technical ContextAI

The vulnerability stems from CWE-276 (Incorrect Default Permissions), a classic file permission misconfiguration issue. Canonical Multipass is a lightweight VM manager that uses Launch Daemons on macOS (system-level services that run at startup with elevated privileges). The root cause is that files executed by the Launch Daemon are writable by non-privileged local users due to overly permissive default file permissions. When the daemon executes these world-writable or group-writable files during system initialization, an attacker can pre-emptively modify them to inject malicious code that runs in the daemon's privileged context. This affects CPE: cpe:2.7:a:canonical:multipass:*:*:*:*:*:macos:*:* (versions ≤1.15.1). The vulnerability is specific to macOS implementations of Multipass and does not affect Linux or Windows variants.

RemediationAI

Immediate Patch: Upgrade Canonical Multipass to version 1.16.0 or later on macOS systems. 2. Manual Permission Hardening (if immediate upgrade is not possible): Audit and correct permissions on Multipass-related Launch Daemon files and associated binaries. Ensure files are owned by root:wheel with permissions 0755 (directories) and 0644 or 0755 (executables), removing world-writable and group-writable bits. 3. Access Control: Restrict local user accounts on macOS systems running Multipass; limit administrative group membership. 4. Monitoring: Monitor for unauthorized modifications to Multipass daemon files and system startup sequences. Check system logs for failed privilege escalation attempts. 5. Vendor Advisory: Consult Canonical's official security advisory and release notes for version 1.16.0+ for detailed remediation guidance and patch applicability across macOS versions.

Vendor StatusVendor

Ubuntu

Priority: High

multipass

Release	Status	Version
jammy	DNE	-
noble	DNE	-
plucky	DNE	-
upstream	released	1.16.0

CVE-2025-5199 vulnerability details – vuln.today

Back

Multipass CVE-2025-5199

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Ubuntu

Share

External POC / Exploit Code