CVE-2025-24204

CRITICAL

macOS < 15.4 - Unprotected User Data Exposure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-24204. PoCs published by 34306, FFRI.

AI-analyzed exploit summary This repository contains a scanner tool for detecting FairPlay-encrypted iOS applications on macOS, leveraging CVE-2025-24204. It identifies encrypted binaries and App Store receipts but does not include exploit code for decryption.

Description

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.

Exploits (2)

nomisec SCANNER 111 stars

by 34306 · poc

https://github.com/34306/decrypted

View Code ZIP pw:eip

This repository contains a scanner tool for detecting FairPlay-encrypted iOS applications on macOS, leveraging CVE-2025-24204. It identifies encrypted binaries and App Store receipts but does not include exploit code for decryption.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: macOS 15.0-15.2 with SIP-enabled

No auth needed

Prerequisites: Access to macOS system with target applications installed

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 103 stars

by FFRI · poc

https://github.com/FFRI/CVE-2025-24204

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2025-24204, which leverages an overly permissive entitlement in the `gcore` binary to read arbitrary process memory on SIP-enabled macOS systems. The exploit includes modules for bypassing TCC, decrypting keychain data, and decrypting FairPlay-encrypted iOS apps.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: macOS (SIP-enabled systems)

Auth required

Prerequisites: Root access · Target process must be running · macOS system with SIP enabled

MITRE ATT&CK

T1003 - OS Credential Dumping T1059 - Command and Scripting Interpreter T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory

https://support.apple.com/en-us/122373

Mailing List

http://seclists.org/fulldisclosure/2025/Apr/8

Scores

CVSS v3 9.8

EPSS 0.0130

EPSS Percentile 66.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-200

Status published

Products (2)

apple/macos < 15.4

Apple/macOS < 15.4

Published Mar 31, 2025

Tracked Since Feb 18, 2026