Login Sign Up

CVE-2024-27886

5.5 MEDIUM

📋 TL;DR

This vulnerability allows unprivileged applications on macOS to log keystrokes from other applications, including those using secure input mode. It affects macOS systems before version 14.4. Users running vulnerable macOS versions are at risk of having sensitive input data captured by malicious applications.

💻 Affected Systems

Products:
  • macOS
Versions: Versions before macOS Sonoma 14.4
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All macOS installations before version 14.4 are vulnerable by default. No special configuration required.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all keyboard input including passwords, financial data, and confidential communications from any application on the system.

🟠

Likely Case

Targeted credential harvesting or surveillance of specific applications by malware or malicious software.

🟢

If Mitigated

Limited impact if proper application vetting and security controls prevent malicious software installation.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local application execution.
🏢 Internal Only: MEDIUM - Malicious internal applications or compromised user workstations could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user to install and run a malicious application. The vulnerability involves logic issues in input handling rather than memory corruption.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Sonoma 14.4

Vendor Advisory: https://support.apple.com/en-us/HT214084

Restart Required: Yes

Instructions:

1. Open System Settings 2. Click General 3. Click Software Update 4. Install macOS Sonoma 14.4 or later 5. Restart when prompted

🔧 Temporary Workarounds

Application Restriction

macOS

Restrict installation of applications to only those from the App Store and identified developers

System Settings > Privacy & Security > Security > Allow applications downloaded from: App Store

🧯 If You Can't Patch

  • Implement application allowlisting to prevent unauthorized applications from running
  • Use separate secure systems for sensitive data entry and processing

🔍 How to Verify

Check if Vulnerable:

Check macOS version: System Settings > General > About > macOS version

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is 14.4 or later: System Settings > General > About > macOS version

📡 Detection & Monitoring

Log Indicators:

  • Unusual application behavior accessing keyboard input APIs
  • Multiple applications requesting accessibility permissions

Network Indicators:

  • Unusual outbound traffic from applications that shouldn't have network access

SIEM Query:

process:accessibility OR process:keyboard AND NOT user:privileged

📊 Metadata

CVE ID: CVE-2024-27886
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-783
Published: July 29, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27886, you might also want to check these:

CVE-2026-25233 9.1

This vulnerability in PEAR (PHP Extension and Application Repository) allows non-lead maintainers to...

Same vulnerability type (CWE-783)
CVE-2024-20314 8.6

This vulnerability in Cisco IOS XE Software's IPv4 SD-Access fabric edge node allows unauthenticated...

Same vulnerability type (CWE-783)
CVE-2024-20480 8.6

An unauthenticated remote attacker can send specially crafted IPv4 DHCP packets to Cisco IOS XE SD-A...

Same vulnerability type (CWE-783)