Login Sign Up

CVE-2024-27872

5.5 MEDIUM

📋 TL;DR

This vulnerability allows a malicious app to bypass macOS symlink validation and access protected user data. It affects macOS systems before Sonoma 14.6. The issue involves improper handling of symbolic links that could lead to unauthorized data access.

💻 Affected Systems

Products:
  • macOS
Versions: Versions before macOS Sonoma 14.6
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default macOS configurations are vulnerable before patching. Requires app execution capability.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain access to sensitive user data like passwords, encryption keys, or personal files through a malicious application.

🟠

Likely Case

Malicious apps in the App Store or downloaded from untrusted sources could access user data they shouldn't have permission to read.

🟢

If Mitigated

With proper app sandboxing and user permission controls, impact is limited to data accessible by the app's granted permissions.

🌐 Internet-Facing: LOW - This requires local app execution, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Requires user to install/run malicious app, but could be combined with social engineering or other attacks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user to run a malicious application. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Sonoma 14.6

Vendor Advisory: https://support.apple.com/en-us/HT214119

Restart Required: Yes

Instructions:

1. Open System Settings 2. Click General 3. Click Software Update 4. Install macOS Sonoma 14.6 or later 5. Restart when prompted

🔧 Temporary Workarounds

Restrict App Installation Sources

macOS

Only allow app installations from the App Store and identified developers

Enable Gatekeeper

macOS

Ensure Gatekeeper is enabled to block apps from unidentified developers

sudo spctl --master-enable

🧯 If You Can't Patch

  • Implement application allowlisting to control which apps can run
  • Educate users about risks of installing apps from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check macOS version in System Settings > General > About. If version is earlier than 14.6, system is vulnerable.

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is 14.6 or later in System Settings > General > About.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns by applications
  • Console logs showing symlink-related errors

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

source="macos" AND (event="file_access" OR event="symlink") AND user_data NOT NULL

📊 Metadata

CVE ID: CVE-2024-27872
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-61
Published: July 29, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27872, you might also want to check these:

CVE-2025-23394 9.8

A UNIX symbolic link following vulnerability in cyrus-imapd on openSUSE Tumbleweed allows local atta...

Same vulnerability type (CWE-61)
CVE-2024-54661 9.8

This vulnerability in socat's readline.sh script allows local privilege escalation through insecure ...

Same vulnerability type (CWE-61)
CVE-2025-55345 8.8

This vulnerability in Codex CLI allows attackers to overwrite arbitrary files and potentially achiev...

Same vulnerability type (CWE-61)