Login Sign Up

CVE-2024-40793

5.5 MEDIUM

📋 TL;DR

This CVE describes an information disclosure vulnerability in Apple operating systems where an app could access user-sensitive data without proper authorization. The vulnerability affects iOS, iPadOS, macOS, and watchOS across multiple versions. Apple has addressed this by removing the vulnerable code in security updates.

💻 Affected Systems

Products:
  • iOS
  • iPadOS
  • macOS
  • watchOS
Versions: Versions prior to iOS 16.7.9, iPadOS 16.7.9, macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6, iPadOS 17.6, watchOS 10.6, macOS Sonoma 14.6
Operating Systems: iOS, iPadOS, macOS, watchOS
Default Config Vulnerable: ⚠️ Yes
Notes: All affected operating systems in their default configurations are vulnerable until patched.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious apps could access sensitive user data including personal information, credentials, or private files stored on the device.

🟠

Likely Case

Apps with malicious intent could harvest user data they shouldn't have access to, potentially leading to privacy violations or credential theft.

🟢

If Mitigated

With proper app sandboxing and security controls, the impact would be limited to data within the app's designated permissions.

🌐 Internet-Facing: LOW - This is primarily a local app vulnerability, not directly exploitable over the internet.
🏢 Internal Only: MEDIUM - Malicious apps installed on devices could exploit this, but requires local app execution.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires a malicious app to be installed on the target device. No public exploit code has been identified in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 16.7.9, iPadOS 16.7.9, macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6, iPadOS 17.6, watchOS 10.6, macOS Sonoma 14.6

Vendor Advisory: https://support.apple.com/en-us/HT214108

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Go to General > Software Update. 3. Download and install the latest available update. 4. Restart device when prompted.

🔧 Temporary Workarounds

Restrict App Installation

all

Only install apps from trusted sources like the official App Store and avoid sideloading unknown applications.

Review App Permissions

all

Regularly review and restrict app permissions in device settings to limit data access.

🧯 If You Can't Patch

  • Implement strict app installation policies allowing only verified applications from trusted sources
  • Use mobile device management (MDM) solutions to enforce security policies and monitor for suspicious app behavior

🔍 How to Verify

Check if Vulnerable:

Check device version in Settings > General > About > Software Version

Check Version:

iOS/iPadOS: Settings > General > About > Software Version; macOS: Apple menu > About This Mac

Verify Fix Applied:

Verify the installed version matches or exceeds the patched versions listed in the fix information

📡 Detection & Monitoring

Log Indicators:

  • Unusual app behavior accessing protected data areas
  • App crash reports related to data access violations

Network Indicators:

  • Unusual data exfiltration from apps to external servers

SIEM Query:

source="apple_device_logs" AND (event_type="data_access_violation" OR app_behavior="unusual_data_access")

📊 Metadata

CVE ID: CVE-2024-40793
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: July 29, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40793, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)