Introduction
A critical vulnerability, CVE-2025-24167, has been discovered in Apple’s iOS, iPadOS, macOS, and Safari. This flaw allows a download’s origin to be incorrectly associated, potentially leading to system instability or exposure of sensitive data. The vulnerability affects versions of iOS and iPadOS prior to 18.4, macOS versions before 15.4, and Safari versions before 18.4. With a CVSS score of 9.8, it is considered a high-severity issue that requires immediate attention from users and administrators alike.
Technical Overview
This vulnerability occurs when the origin of a download is improperly associated due to insufficient state management in the affected Apple products. As a result, an attacker could potentially manipulate download sources, leading to unexpected behavior, such as execution of untrusted files or exposure of sensitive data. The flaw impacts macOS, iOS, iPadOS, and Safari, with versions prior to those mentioned being vulnerable to exploitation.
Impact and CVSS Score
The CVSS score for CVE-2025-24167 is 9.8, marking it as a critical security issue. The CVSS vector string for this vulnerability is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This means:
- The vulnerability can be exploited remotely (Network attack vector).
- It has low complexity, making it easier to exploit.
- It does not require user interaction, increasing the risk of exploitation.
- The vulnerability significantly impacts confidentiality, integrity, and availability.
Apple’s Response
Apple has addressed this issue by releasing updates in Safari 18.4, iOS 18.4, iPadOS 18.4, and macOS Sequoia 15.4. These updates improve state management, preventing the incorrect association of download origins and strengthening overall security. It is strongly recommended that users update their systems immediately to mitigate potential risks.
Conclusion
Given the critical nature of CVE-2025-24167, users of the affected Apple products should update their systems as soon as possible. Regular updates are crucial in maintaining the security of your devices and ensuring the safety of your sensitive information.