How the CVE Works:
CVE-2025-31194 is a privilege escalation vulnerability in macOS (Ventura, Sequoia, Sonoma) due to improper state management in Shortcuts. Attackers can craft a malicious Shortcut that bypasses authentication checks, allowing arbitrary code execution with admin privileges. The flaw stems from insufficient validation of Shortcuts’ runtime permissions, enabling elevation without user consent. Apple patched it in Ventura 13.7.5, Sequoia 15.4, and Sonoma 14.7.5 by enforcing stricter privilege isolation.
DailyCVE Form:
Platform: macOS
Version: Ventura <13.7.5, Sequoia <15.4, Sonoma <14.7.5
Vulnerability: Privilege Escalation
Severity: Critical
Date: 03/31/2025
What Undercode Say:
Exploit:
- Craft a malicious Shortcut (
shortcut.workflow) with `com.apple.workflow.actions.runscript` to execute shell commands.
2. Use `osascript` to trigger admin privileges:
osascript -e 'do shell script "id > /tmp/pwned" with administrator privileges'
3. Distribute via phishing or compromised apps.
Detection:
Check for suspicious Shortcuts in `~/Library/Shortcuts/`:
grep -r "runscript" ~/Library/Shortcuts/
Mitigation:
1. Update to patched versions.
2. Disable Shortcuts automation via:
defaults write com.apple.Shortcuts AppleScriptEnabled -bool false
3. Audit enments:
codesign -dv --enments :- /Applications/Shortcuts.app
References:
CVSS 4.0:
- Base Score: 9.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/S:C/C:H/I:H/A:H)
Notes:
- Exploitable remotely via malicious links.
- Proof-of-Concept (PoC) requires user interaction but no auth.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-31194
Extra Source Hub:
Undercode
