CVE-2024-54539
📋 TL;DR
This vulnerability allows an application to capture keyboard events from the macOS lock screen, potentially enabling unauthorized access to sensitive information entered before full authentication. It affects macOS users running vulnerable versions of Sonoma, Sequoia, and Ventura who have not applied the latest security updates.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
An attacker could capture passwords, PINs, or other sensitive input entered at the lock screen, potentially leading to full system compromise or data theft.
Likely Case
Malicious applications could capture limited keyboard input during lock screen interactions, potentially exposing some sensitive information.
If Mitigated
With proper application sandboxing and security controls, the impact would be limited to applications with specific permissions.
🎯 Exploit Status
Requires malicious application installation and execution. Apple has addressed this through improved state management.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2
Vendor Advisory: https://support.apple.com/en-us/121839
Restart Required: Yes
Instructions:
1. Open System Settings 2. Click General 3. Click Software Update 4. Install available updates 5. Restart when prompted
🔧 Temporary Workarounds
Disable automatic login
macOSPrevents applications from potentially capturing input during automatic login scenarios
Use FileVault encryption
macOSAdds additional security layer to protect against unauthorized access
🧯 If You Can't Patch
- Restrict application installation to App Store only via MDM or parental controls
- Implement strict application allowlisting policies
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Settings > General > About. If version is Sonoma <14.7.2, Sequoia <15.2, or Ventura <13.7.2, system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version shows 14.7.2, 15.2, or 13.7.2 or higher in System Settings > General > About.📡 Detection & Monitoring
Log Indicators:
- Unusual application behavior at lock screen
- Unexpected keyboard event captures
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
process:name contains keyboard or input AND event:lock_screen