Apple’s macOS Sequoia 15.0, renowned for its robust security measures, was recently found to have a significant vulnerability that could have allowed unauthorized access to users’ Keychain data, including sensitive passwords. This flaw, identified as CVE-2025-24204, was disclosed by security researcher Koh M. Nakagawa from FFRI Security during the Nullcon Berlin 2025 conference.
Discovery of the Vulnerability
Nakagawa’s investigation revealed that the ‘gcore’ debugging utility in macOS Sequoia was inadvertently granted a system-level entitlement. This misconfiguration compromised critical security boundaries, allowing any user with local access to read the memory of any process, even with System Integrity Protection (SIP) enabled. This exposure made it possible to retrieve Keychain encryption keys and bypass Transparency, Consent, and Control (TCC) restrictions. Additionally, it enabled the decryption of iOS applications running on Apple Silicon Macs, effectively undermining several of Apple’s core security defenses.
Mechanism of the Exploit
The ‘gcore’ utility, designed for generating core dumps of running processes, was found to have the ‘com.apple.system-task-ports.read’ entitlement. This entitlement provided unrestricted memory access, allowing attackers to extract sensitive information from protected processes. By dumping the memory of the ‘securityd’ process, which manages Keychain services, Nakagawa was able to recover the master key used to encrypt the login Keychain. With this key, decrypting the entire Keychain without the user’s password became feasible.
Furthermore, the vulnerability allowed attackers to circumvent TCC, Apple’s system designed to control app access to personal data. By loading protected files into memory, attackers could dump and reconstruct sensitive documents using tools like ‘vmmap.’ Even iOS applications were vulnerable, as Apple Silicon Macs can run iPhone and iPad apps whose binaries are encrypted at rest. Using ‘gcore,’ Nakagawa successfully recovered decrypted binaries while the apps were running, access that would typically require a jailbroken iPhone.
Apple’s Response and Mitigation
Apple addressed this critical vulnerability by removing the problematic entitlement in macOS Sequoia 15.3, released earlier in 2025. The company did not issue a prominent announcement regarding this fix, which is common practice for security updates. Detection of this vulnerability was possible through Apple’s Endpoint Security Framework, which can monitor for suspicious ‘task_read_for_pid’ calls. However, real-time detection and mitigation were challenging, and the most effective solution was to apply Apple’s update promptly.
Recommendations for Users
Users running macOS Sequoia are strongly advised to update immediately to version 15.3 or later, as this version includes the necessary fix for the vulnerability. Older versions remain exposed, and there is no workaround other than upgrading. Enabling automatic updates is recommended to ensure timely application of security patches.
For enhanced security, users might consider using a password manager separate from Apple’s Keychain to diversify the storage of sensitive credentials. While this approach does not protect against all macOS vulnerabilities, it adds an additional layer of security that attackers would need to breach.
Staying informed about Apple’s security advisories is crucial. These advisories, posted on the company’s support site, provide official records of security fixes and updates. Regularly reviewing these advisories can help users stay aware of potential vulnerabilities and the necessary steps to mitigate them.
Conclusion
The discovery of the CVE-2025-24204 vulnerability in macOS Sequoia underscores the importance of continuous vigilance and prompt action in the realm of cybersecurity. While Apple has addressed this specific issue, users must remain proactive in updating their systems and adopting best practices to safeguard their personal information against potential threats.
