EUVD-2025-209197

| CVE-2025-43257 HIGH
2026-04-02 apple GHSA-56pf-93rp-5vq3
8.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 02, 2026 - 19:01 vuln.today
EUVD ID Assigned
Apr 02, 2026 - 19:01 euvd
EUVD-2025-209197
CVE Published
Apr 02, 2026 - 18:25 nvd
HIGH 8.7

Tags

Apple Information Disclosure

Description

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.6. An app may be able to break out of its sandbox.

Analysis

Sandbox escape in macOS Sequoia prior to 15.6 allows local applications with low privileges to break containment via symlink manipulation, potentially accessing restricted system resources and user data. Apple resolved this via improved symlink handling in macOS 15.6. CVSS score of 8.7 reflects high confidentiality and integrity impact with scope change. No public exploit identified at time of analysis, though SSVC framework indicates partial technical impact with no current exploitation evidence.

Technical Context

This vulnerability stems from improper handling of symbolic links (CWE-59: Improper Link Resolution Before File Access), commonly known as a symlink following or time-of-check-time-of-use vulnerability. macOS employs App Sandbox as a mandatory access control mechanism to restrict application capabilities and file system access. Applications with low privileges (PR:L in CVSS vector) can craft malicious symlinks that, when resolved by the operating system, redirect file operations outside the intended sandbox boundary. The vulnerability affects macOS Sequoia versions prior to 15.6, as indicated by CPE string cpe:2.3:a:apple:macos and EUVD affected version range. Symlink vulnerabilities in sandboxed environments are particularly critical because they undermine the fundamental security architecture separating untrusted applications from sensitive system resources, enabling privilege escalation and unauthorized data access across security domains.

Affected Products

Apple macOS Sequoia versions prior to 15.6 are confirmed vulnerable per official Apple security advisory HT124149. The CPE identifier cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:* indicates macOS platform-wide impact, with EUVD specifying version range from macOS 0 through versions before 15.6. All macOS Sequoia installations not updated to version 15.6 or later remain susceptible to sandbox escape via symlink exploitation. Apple advisory available at https://support.apple.com/en-us/124149 provides complete affected version details and remediation guidance.

Remediation

Update macOS Sequoia to version 15.6 or later, which contains improved symlink handling mechanisms that prevent sandbox escape. Apple released this security update as documented in HT124149 security advisory at https://support.apple.com/en-us/124149. Users should apply updates through System Settings > General > Software Update or via enterprise deployment tools for managed environments. No workarounds are available for this vulnerability; patching to version 15.6 is the only effective remediation. Organizations should prioritize deployment to systems running untrusted or third-party applications where sandbox integrity is critical for security posture. Verify successful update by confirming macOS version 15.6 or higher in About This Mac system information.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +44
POC: 0

Share

EUVD-2025-209197 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy