CVE-2025-31237 – A vulnerability in macOS AFP (Apple Filing Prot... (How to Fix)

Q: What is the severity of CVE-2025-31237?

CVE-2025-31237 has a CVSS score of 7.5 (HIGH). A vulnerability in macOS AFP (Apple Filing Protocol) allows attackers to cause system termination (kernel panic/crash) by mounting a maliciously crafted network share. This affects macOS Ventura, Sequoia, and Sonoma systems before specific security updates. The vulnerability requires network access to an AFP share.

📋 TL;DR

A vulnerability in macOS AFP (Apple Filing Protocol) allows attackers to cause system termination (kernel panic/crash) by mounting a maliciously crafted network share. This affects macOS Ventura, Sequoia, and Sonoma systems before specific security updates. The vulnerability requires network access to an AFP share.

💻 Affected Systems

Products:

macOS

Versions: macOS Ventura before 13.7.6, macOS Sequoia before 15.5, macOS Sonoma before 14.7.6

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: AFP protocol must be enabled/accessible for exploitation. Systems not using AFP shares are not vulnerable.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash leading to denial of service, potential data loss from unsaved work, and disruption of services running on affected systems.

🟠

Likely Case

Temporary denial of service requiring system reboot, with potential for repeated attacks causing extended downtime.

🟢

If Mitigated

No impact if systems are patched or AFP network share mounting is restricted to trusted sources.

🌐 Internet-Facing: MEDIUM - Requires network access to AFP shares, which are less commonly exposed to internet than other protocols.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to crash targeted macOS systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to mount malicious AFP share. Public disclosures suggest proof-of-concept exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Ventura 13.7.6, macOS Sequoia 15.5, macOS Sonoma 14.7.6

Vendor Advisory: https://support.apple.com/en-us/122716

Restart Required: Yes

Instructions:

1. Open System Settings > General > Software Update. 2. Install available updates. 3. Restart when prompted.

🔧 Temporary Workarounds

Disable AFP Sharing

all

Disable AFP protocol to prevent mounting of malicious shares

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist

Restrict AFP Network Access

all

Use firewall rules to restrict AFP (port 548) to trusted networks only

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/sbin/AppleFileServer
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --block /usr/sbin/AppleFileServer

🧯 If You Can't Patch

Disable AFP protocol entirely if not required for business operations
Implement network segmentation to restrict AFP traffic to trusted zones only

🔍 How to Verify

Check if Vulnerable:

Check macOS version: if running Ventura <13.7.6, Sequoia <15.5, or Sonoma <14.7.6, system is vulnerable

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version shows 13.7.6, 15.5, or 14.7.6 or higher

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs in /Library/Logs/DiagnosticReports
Unexpected AFP connection attempts in system logs

Network Indicators:

Unusual AFP (port 548) traffic from untrusted sources
Multiple failed AFP mount attempts

SIEM Query:

source="macos_system_logs" AND (event="kernel panic" OR process="AppleFileServer")

📊 Metadata

CVE ID: CVE-2025-31237

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-404

EPSS Score: 0.16% exploit probability (36.7th percentile)

Published: May 12, 2025

Last Updated: November 3, 2025

🔗 References

https://support.apple.com/en-us/122716 Release Notes,Vendor Advisory
https://support.apple.com/en-us/122717 Release Notes,Vendor Advisory
https://support.apple.com/en-us/122718 Release Notes,Vendor Advisory
http://seclists.org/fulldisclosure/2025/May/7
http://seclists.org/fulldisclosure/2025/May/8
http://seclists.org/fulldisclosure/2025/May/9

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31237, you might also want to check these: