macOS

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw

A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.

Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.

This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates.

OEM	Apple
Severity	Critical
CVSS	9.8
CVEs	CVE-2025-24118
Exploited in Wild	No
Publicly POC Available	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.

Vulnerability Name	CVE ID	Product Affected	Severity
Race Condition Vulnerability	CVE-2025-24118	Apple	Critical

Technical Summary

This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24118	macOS Sonoma prior to 14.7.3 macOS Sequoia prior to 15.3 iPadOS prior to 17.7.4	A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition.	Privilege escalation, memory corruption, potential kernel-level code execution

Remediation:

Patch Installation: Users should upgrade to macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 to mitigate the risk.

Conclusion:

CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.

References:

https://github.com/jprx/CVE-2025-24118

https://support.apple.com/en-us/122069

https://securityonline.info/poc-exploit-released-for-macos-kernel-vulnerability-cve-2025-24118-cvss-9-8/

Apple Patched Actively Exploited Zero-Day Vulnerability

Summary

CVE-2025-24085 is a zero-day vulnerability in Apple’s “Core Media framework” which enables malicious applications to potentially gain elevated privileges on impacted devices. It falls under the “Memory Corruption vulnerability category”, posing significant security risks such as unauthorized access to sensitive data or potential device control.

OEM	Apple Inc
Severity	High
CVEs	CVE-2025-24085
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Privilege escalation vulnerability	CVE-2025-24085	Apple	High	iPhone-XS and later, macOS Sequoia iPad-Pro (3rd generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), iPad mini (5th generation and later) Apple Watch: Series 6 and later Apple TV: All models

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24085	iPhone, iPad, Mac, Apple Watch, Apple TV	CVE-2025-24085 is a memory management vulnerability in Apple’s Core Media framework, responsible for processing audio and video content. The vulnerability stems from improper handling of media data, allowing attackers to execute arbitrary code with elevated privileges. It can be remotely exploited through malicious media files, creating significant security risks.	Arbitrary Code Execution, Privilege Escalation, Sensitive Data Exposure, Remote Exploitation via Media Files

Remediation:

Update: Ensure the latest patches are applied to affected Apple devices as listed below

Affected Version(s)	Fixes and Releases
iOS 17.2 and later	iOS 18.3
iPadOS 17.2 and later	iPadOS 18.3
macOS Sequoia (all previous versions)	macOS Sequoia 15.3
watchOS 10.3 and later	watchOS 11.3
tvOS 17.2 and later	tvOS 18.3
visionOS 1.3 and later	visionOS 2.3

Apple has fixed this vulnerability in these software versions. Update devices immediately to mitigate the risk of exploitation.

General Recommendations:

Untrusted Media: Avoid opening suspicious media files, emails, or links from unknown sources, as the vulnerability can be exploited remotely via malicious media.
Automatic Updates: Enable automatic updates on all Apple devices to ensure timely installation of future security patches.

References:

Banshee Stealer: A Growing Threat to macOS Users

Overview

Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS.

Key Threat Details:

Malware Capabilities:

Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security.

User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access.

Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging.

C&C decryption Source: Cybersecurity News

Evasion Tactics:

Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems.

Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods.

Distribution Mechanisms:

Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files.

Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware.

Repository releases source: Cybersecurity News

Recent Developments:

Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally.

Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape.

Impact:

Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses.

Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications.

Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide.

Indicators of Compromise (IOCs):

The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link .

IP Address and Domain	File Hash
41.216.183[.]49	00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93
Alden[.]io	1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416
api7[.]cfd	3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab
Authorisev[.]site	b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114

Recommendations:

To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures:

Avoid Untrusted Downloads:

Refrain from downloading software from unverified sources, particularly free or “cracked” versions.

Verify the authenticity of GitHub repositories before downloading any files.

Strengthening System Defenses:

Regularly update macOS and all installed applications to patch known vulnerabilities.

Deploy advanced security solutions with real-time threat detection and proactive intelligence.

Enhance Awareness and Training:

Educate users on identifying phishing websites and suspicious downloads.

Encourage caution when responding to system prompts or entering credentials.

Enable Two-Factor Authentication (2FA):

Secure accounts with 2FA to minimize the impact of stolen credentials.

Monitor System Activity:

Regularly review system logs for unauthorized changes or suspicious activity.

Use tools to monitor unexpected outgoing data transmissions.

Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.

Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early.

Conclusion:

The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats.

References:

https://blog.checkpoint.com/research/cracking-the-code-how-banshee-stealer-targets-macos-users/

https://cybersecuritynews.com/banshee-malware-targets-macos/#google_vignette

https://otx.alienvault.com/pulse/677fe682d3832164346deca1