CVE-2025-43410
📋 TL;DR
This vulnerability allows an attacker with physical access to a Mac to view deleted notes due to improper cache handling. It affects macOS users running vulnerable versions of Sequoia, Tahoe, and Sonoma. The risk is limited to attackers who can physically interact with the device.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Sensitive deleted notes containing personal information, passwords, or confidential data could be recovered by an attacker with physical access.
Likely Case
Deleted notes that were thought to be permanently removed could be viewed by someone with brief physical access to the device.
If Mitigated
With proper physical security controls, the risk is minimal as the attacker needs direct device access.
🎯 Exploit Status
Exploitation requires physical device access and knowledge of cache manipulation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Sequoia 15.7.2, macOS Tahoe 26.2, macOS Sonoma 14.8.2
Vendor Advisory: https://support.apple.com/en-us/125635
Restart Required: Yes
Instructions:
1. Open System Settings > General > Software Update. 2. Install available updates. 3. Restart when prompted.
🔧 Temporary Workarounds
Disable Notes app
allRemove or disable the Notes application to prevent exploitation.
sudo rm -rf /Applications/Notes.app
Enable FileVault encryption
allFull disk encryption prevents access to deleted files when device is powered off.
sudo fdesetup enable
🧯 If You Can't Patch
- Implement strict physical security controls for devices
- Use third-party note applications with secure deletion features
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Settings > General > About. If version is earlier than patched versions, device is vulnerable.Check Version:
sw_versVerify Fix Applied:
Confirm macOS version matches or exceeds: Sequoia 15.7.2, Tahoe 26.2, or Sonoma 14.8.2.📡 Detection & Monitoring
Log Indicators:
- Unusual physical access logs
- Unauthorized user login attempts
Network Indicators:
- None - this is a local physical access vulnerability
SIEM Query:
No network-based detection possible for this physical access vulnerability