CVE-2025-30461
📋 TL;DR
This CVE describes a macOS sandbox bypass vulnerability where malicious applications can access protected user data from system pasteboards. It affects macOS systems before Sequoia 15.4. The vulnerability allows unauthorized access to sensitive clipboard information that should be isolated by sandbox restrictions.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Malicious app steals sensitive clipboard data including passwords, financial information, authentication tokens, and other confidential data from any application on the system.
Likely Case
Malware or compromised applications exfiltrate clipboard contents containing potentially sensitive user information like copied passwords, URLs, or personal data.
If Mitigated
Limited data exposure from non-sensitive applications, with potential detection through security monitoring of unusual clipboard access patterns.
🎯 Exploit Status
Exploitation requires user to install and run a malicious application. The vulnerability itself has low complexity once malicious code is executing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Sequoia 15.4
Vendor Advisory: https://support.apple.com/en-us/122373
Restart Required: Yes
Instructions:
1. Open System Settings
2. Click General
3. Click Software Update
4. Install macOS Sequoia 15.4 update
5. Restart when prompted
🔧 Temporary Workarounds
Application Whitelisting
allRestrict application installation to trusted sources only using MDM or security policies
Clipboard Monitoring
allUse security tools to monitor and alert on unusual clipboard access patterns
🧯 If You Can't Patch
- Implement strict application control policies to prevent unauthorized app installation
- Use endpoint detection and response (EDR) tools to monitor for suspicious clipboard access behavior
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Settings > General > About. If version is earlier than Sequoia 15.4, system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version shows Sequoia 15.4 or later in System Settings > General > About.📡 Detection & Monitoring
Log Indicators:
- Unusual process accessing pasteboard services
- Multiple applications accessing clipboard simultaneously
- Suspicious network connections following clipboard access
Network Indicators:
- Data exfiltration patterns following clipboard access events
- Unusual outbound connections from applications with clipboard permissions
SIEM Query:
process_name:"pbpaste" OR process_name:"pbcopy" AND NOT user:trusted_user