CVE-2025-24245 in macOS
Summary
by MITRE • 04/01/2025
This issue was addressed by adding a delay between verification code attempts. This issue is fixed in macOS Sequoia 15.4. A malicious app may be able to access a user's saved passwords.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/01/2025
The vulnerability described in CVE-2025-24245 represents a security weakness in macOS Sequoia 15.4 that could potentially allow malicious applications to access user saved passwords through improper verification code handling. This issue specifically relates to the authentication mechanisms that protect stored credentials within the operating system's password management system. The vulnerability stems from insufficient rate limiting or delay mechanisms between verification attempts, creating a window of opportunity for automated attacks to exploit the system.
The technical flaw manifests as a lack of proper throttling between authentication verification attempts, which allows malicious applications to potentially brute force or rapidly iterate through password verification processes without sufficient delays. This weakness falls under the category of insufficient verification code delays, which can be classified as a CWE-307 weakness related to improper restriction of consecutive authentication attempts. The vulnerability essentially creates a race condition where an attacker can make multiple verification attempts in quick succession, potentially bypassing normal security controls that would otherwise prevent unauthorized access to saved passwords.
From an operational impact perspective, this vulnerability could enable attackers to compromise user accounts and access sensitive information stored in the password manager. The malicious application could potentially extract saved passwords from the system's secure credential storage, particularly targeting the verification mechanisms that protect access to these sensitive credentials. This represents a significant risk to user privacy and system security, as it allows unauthorized access to stored authentication information that could be used for further exploitation or identity theft. The vulnerability directly impacts the principle of least privilege by allowing malicious software to bypass normal authentication controls.
The fix implemented in macOS Sequoia 15.4 addresses this issue by introducing proper delays between verification code attempts, effectively preventing rapid successive authentication attempts that could lead to credential compromise. This mitigation aligns with security best practices for rate limiting and authentication controls, which are also referenced in the ATT&CK framework under techniques related to credential access and privilege escalation. Organizations should prioritize updating to macOS Sequoia 15.4 or later versions to protect against this vulnerability, as the delay mechanism prevents automated tools from efficiently exploiting the verification process. The implementation of such delays represents a fundamental security control that helps maintain the integrity of the authentication system by preventing brute force attacks and credential stuffing attempts that rely on rapid successive verification attempts.