CVE-2025-24150
📋 TL;DR
This vulnerability allows command injection when copying URLs from Web Inspector in affected Apple products. Attackers could execute arbitrary commands on the system by tricking users into copying malicious URLs. Affects macOS, iOS, iPadOS, and Safari users before the patched versions.
💻 Affected Systems
- macOS
- Safari
- iOS
- iPadOS
📦 What is this software?
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Safari by Apple
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing remote code execution, data theft, and persistent backdoor installation
Likely Case
Limited command execution in user context, potentially leading to data exfiltration or further privilege escalation
If Mitigated
No impact if patched; otherwise, limited to users with Web Inspector access and specific user interaction
🎯 Exploit Status
Requires user interaction and Web Inspector access; no public exploit available
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Sequoia 15.3, Safari 18.3, iOS 18.3, iPadOS 18.3
Vendor Advisory: https://support.apple.com/en-us/122066
Restart Required: No
Instructions:
1. Update macOS to Sequoia 15.3 or later via System Settings > General > Software Update
2. Update Safari to 18.3 or later via App Store updates
3. Update iOS/iPadOS to 18.3 or later via Settings > General > Software Update
🔧 Temporary Workarounds
Disable Web Inspector
allPrevent access to Web Inspector to eliminate attack vector
Safari: Safari > Settings > Advanced > uncheck 'Show Develop menu in menu bar'
Avoid copying URLs from Web Inspector
allUser awareness to not copy URLs from Web Inspector interface
🧯 If You Can't Patch
- Restrict Web Inspector access to trusted users only
- Implement application allowlisting to prevent unauthorized command execution
🔍 How to Verify
Check if Vulnerable:
Check if macOS version is below 15.3, Safari below 18.3, or iOS/iPadOS below 18.3Check Version:
macOS: sw_vers -productVersion; Safari: defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString; iOS/iPadOS: Settings > General > About > VersionVerify Fix Applied:
Confirm macOS version is 15.3+, Safari 18.3+, or iOS/iPadOS 18.3+📡 Detection & Monitoring
Log Indicators:
- Unusual command execution from Safari/WebKit processes
- Suspicious process spawning from browser context
Network Indicators:
- Unexpected outbound connections from browser processes
- Command and control traffic patterns
SIEM Query:
process_name:safari AND (command_line:*sh* OR command_line:*bash* OR command_line:*curl* OR command_line:*wget*)🔗 References
- https://support.apple.com/en-us/122066
- https://support.apple.com/en-us/122068
- https://support.apple.com/en-us/122074
- http://seclists.org/fulldisclosure/2025/Jan/13
- http://seclists.org/fulldisclosure/2025/Jan/15
- http://seclists.org/fulldisclosure/2025/Jan/20
- https://lists.debian.org/debian-lts-announce/2025/02/msg00014.html
