Login Sign Up

CVE-2025-24167

9.8 CRITICAL

📋 TL;DR

This vulnerability in Apple's Safari browser and related operating systems allows attackers to misrepresent a download's origin, potentially tricking users into executing malicious files. It affects Safari users on iOS, iPadOS, and macOS who haven't updated to the latest versions. The high CVSS score indicates significant security implications.

💻 Affected Systems

Products:
  • Safari
  • iOS
  • iPadOS
  • macOS
Versions: Versions before Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4
Operating Systems: iOS, iPadOS, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all default configurations of the listed Apple products before the patched versions.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Safari by Apple

View all CVEs affecting Safari →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users download and execute malicious files believing they come from trusted sources, leading to full system compromise, data theft, or ransomware installation.

🟠

Likely Case

Users are tricked into downloading and opening malicious files disguised as legitimate downloads from trusted websites.

🟢

If Mitigated

With proper controls like application whitelisting and user training, impact is limited to potential file downloads that are blocked from execution.

🌐 Internet-Facing: HIGH - This vulnerability can be exploited through normal web browsing activities.
🏢 Internal Only: LOW - Primarily affects external web browsing, though internal web applications could potentially be leveraged.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability appears to be exploitable through normal web browsing without authentication, though specific exploit details aren't publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4

Vendor Advisory: https://support.apple.com/en-us/122371

Restart Required: Yes

Instructions:

1. Open Settings/System Preferences. 2. Navigate to Software Update. 3. Install the latest available update. 4. Restart the device when prompted.

🔧 Temporary Workarounds

Disable automatic file downloads

all

Configure Safari to ask before downloading files to prevent automatic execution of malicious downloads.

Safari Settings → General → Uncheck 'Open safe files after downloading'

Use alternative browser

all

Temporarily use a different web browser that isn't affected by this vulnerability.

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized files
  • Enhance user awareness training about downloading files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Safari version: Safari → About Safari. Check OS version: iOS/iPadOS → Settings → General → About; macOS → Apple menu → About This Mac.

Check Version:

macOS: sw_vers; iOS/iPadOS: Settings → General → About → Version

Verify Fix Applied:

Verify version numbers match or exceed Safari 18.4, iOS 18.4, iPadOS 18.4, or macOS Sequoia 15.4.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file downloads from unusual origins
  • Multiple download attempts from single user sessions

Network Indicators:

  • HTTP downloads with mismatched origin headers
  • Suspicious download patterns from web servers

SIEM Query:

source="web_proxy" AND (action="download" OR file_type="*exe" OR file_type="*dmg") AND NOT origin_domain IN [trusted_domains]

📊 Metadata

CVE ID: CVE-2025-24167
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.64% exploit probability (70.1th percentile)
Published: March 31, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON