Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local privilege escalation requires prior code execution as a standard user (AV:L, PR:L), no user interaction, and yields full system compromise (C/I/A:H).
Primary rating from Vendor (apple).
CVSS VectorVendor: apple
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges.
AnalysisAI
Privilege escalation in Apple macOS Sequoia prior to 15.4 allows a locally executing application to bypass launch constraint protections and run malicious code with elevated privileges. The flaw, reported by Apple and tracked as EUVD-2025-210116, carries CVSS 7.8 (local, low complexity, low privileges) and CWE-269 improper privilege management, with no public exploit identified at time of analysis and CISA SSVC marking exploitation status as 'none'.
Technical ContextAI
Launch constraints are a macOS code-signing/integrity mechanism Apple introduced (notably in Ventura and expanded in Sonoma/Sequoia) that restricts which parent processes, paths, and entitlements can launch a given Mach-O binary, hardening LaunchDaemons and system services against being invoked by attacker-controlled processes. The root cause class CWE-269 (Improper Privilege Management) indicates the constraint-enforcement logic failed to fully validate the launch context, letting a process invoke a constrained binary outside its intended trust boundary. The affected CPE cpe:2.3:a:apple:macos covers macOS prior to Sequoia 15.4, where Apple states the issue was addressed with 'improved checks'.
RemediationAI
Vendor-released patch: macOS Sequoia 15.4 - upgrade affected endpoints to 15.4 or later via Software Update, referencing Apple's advisory at https://support.apple.com/en-us/122373. Where immediate upgrade is not possible, compensating controls should focus on the local-attacker prerequisite: restrict installation of unsigned or unnotarized applications by enforcing Gatekeeper at the strictest setting and deploying a Mobile Device Management profile that blocks 'Allow apps from anywhere', monitor with EDR for unexpected child-process launches of system LaunchDaemons or constrained binaries, and reduce standing local-admin rights so that the PR:L precondition is harder to satisfy. Trade-offs: Gatekeeper hardening can break legitimate in-house tooling that is not notarized, and removing admin rights from developer workstations typically requires a privilege-elevation workflow to avoid productivity loss.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210116
GHSA-8gvc-mhh7-w4gq