macOS, Permissions Bypass, CVE-2025-24248 (Medium)

How CVE-2025-24248 Works

This vulnerability in macOS Sequoia (before 15.4) allows malicious apps to bypass Apple Account privacy restrictions and enumerate devices linked to the user’s Apple ID. The flaw stems from improper permission checks when accessing system APIs related to Apple Account synchronization services. Attackers exploit weak sandboxing controls to query device lists without explicit user consent, potentially exposing sensitive device metadata. The issue was patched by enforcing stricter enment verification for Apple Account-related API calls.

DailyCVE Form

Platform: macOS
Version: <15.4
Vulnerability: Device enumeration
Severity: Medium
Date: 04/04/2025

What Undercode Say:

Exploitation Analysis

1. Exploit Code Snippet (PoC):

let appleAccountService = NSAppleAccountManager.shared()
let linkedDevices = appleAccountService.connectedDevices() // Abuses unprotected API

2. Post-Exploitation:

Map user’s Apple ecosystem (iPhone, iPad, etc.)
Correlate device types for targeted attacks

Protection Measures

1. Update Command:

softwareupdate --install --all --restart

2. Mitigation Workaround:

sudo defaults write /Library/Preferences/com.apple.security.plist RestrictAppleAccountAccess -bool YES

3. Detection Rule (YARA):

rule apple_account_enumeration {
strings:
$enment = "com.apple.private.appleaccount"
$api_call = "connectedDevices"
condition:
all of them
}

4. Network Indicators:

Outbound connections to `gsa.apple.com` with device enumeration queries

5. Sysmon Configuration:

<RuleGroup>
<AppleAccountAccess onmatch="include">
<TargetDeviceList>true</TargetDeviceList>
</AppleAccountAccess>
</RuleGroup>

6. Enment Hardening:

Revoke `com.apple.private.appleaccount` enment from untrusted apps via MDM profiles.

7. Sandbox Escape Prevention:

(deny appleaccount-device-query (user-approval "required"))

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-24248
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram