CVE-2025-43394
📋 TL;DR
A symlink handling vulnerability in macOS allows applications to bypass file system protections and access sensitive user data. This affects macOS Sequoia, Tahoe, and Sonoma systems before specific patch versions. The vulnerability requires local application execution to exploit.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Malicious application could access protected user files including keychain data, passwords, documents, and other sensitive information stored in protected directories.
Likely Case
Malware or compromised applications could exfiltrate user data from protected locations that should be inaccessible.
If Mitigated
With proper application sandboxing and user permission controls, impact is limited to data accessible by the exploited application's permissions.
🎯 Exploit Status
Exploitation requires creating a malicious application that leverages symlink handling to bypass file system protections. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2
Vendor Advisory: https://support.apple.com/en-us/125634
Restart Required: Yes
Instructions:
1. Open System Settings 2. Click General 3. Click Software Update 4. Install available updates 5. Restart when prompted
🔧 Temporary Workarounds
Restrict application installation
allOnly install applications from trusted sources and the App Store
Enable Gatekeeper
macOSEnsure Gatekeeper is enabled to block unsigned applications
sudo spctl --master-enable
🧯 If You Can't Patch
- Implement application allowlisting to prevent unauthorized applications from running
- Use full disk encryption and limit user access to sensitive data directories
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Settings > General > About. If version is earlier than patched versions, system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version matches or exceeds: Sequoia 15.7.2, Tahoe 26.1, or Sonoma 14.8.2📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in protected directories
- Applications accessing files outside their sandbox
Network Indicators:
- Unexpected outbound data transfers from applications
SIEM Query:
source="macos" AND (event="file_access" AND path CONTAINS "/Users/" AND NOT user_process="authorized")