CVE-2024-40787 is a vulnerability in Apple’s iOS, iPadOS, and several macOS and watchOS versions that allows a shortcut to bypass the Internet permission requirements normally enforced by the operating system. Shortcuts are automation scripts that users can create or download to perform tasks on their devices. Normally, when a shortcut attempts to access the Internet, the system prompts the user for explicit consent to protect privacy and security. However, due to this vulnerability, a shortcut can circumvent these prompts, enabling it to send or receive data over the Internet without the user’s knowledge or approval. The vulnerability requires the attacker to have low-level privileges on the device (local access with limited rights) but does not require any user interaction to exploit once the shortcut is in place. The flaw impacts confidentiality and integrity by potentially allowing unauthorized data transmission or manipulation, but it does not affect system availability. Apple fixed this issue by introducing an additional user consent prompt in iOS 17.6, iPadOS 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, and watchOS 10.6. There are no known exploits in the wild at the time of publication, but the CVSS score of 7.1 reflects the high risk posed by this vulnerability due to its ability to bypass security controls and the sensitive nature of Internet access permissions on personal devices.

The primary impact of CVE-2024-40787 is the unauthorized bypass of Internet permission controls on Apple devices, which can lead to significant confidentiality and integrity risks. Attackers with local access can exploit this vulnerability to exfiltrate sensitive data, communicate with command and control servers, or manipulate data transmitted over the Internet without user consent. This undermines user privacy and can facilitate further attacks such as data theft, espionage, or malware propagation. Since the vulnerability does not require user interaction and only low privileges, it lowers the barrier for exploitation once an attacker gains local access, increasing the threat to organizations that use Apple devices extensively. The lack of impact on availability means systems remain operational, but the stealthy nature of the exploit can delay detection and response. Organizations handling sensitive information or operating in regulated industries face increased compliance and reputational risks if this vulnerability is exploited.

To mitigate CVE-2024-40787, organizations and users should promptly update affected Apple devices to the patched versions: iOS 17.6, iPadOS 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, and watchOS 10.6. Beyond patching, organizations should enforce strict device access controls to prevent unauthorized local access, including strong authentication mechanisms and device encryption. Limit the use of shortcuts to those vetted and approved by IT security teams to reduce the risk of malicious or misconfigured shortcuts. Employ mobile device management (MDM) solutions to monitor and restrict shortcut creation and execution where possible. Educate users about the risks of installing untrusted shortcuts and the importance of reviewing permission prompts carefully. Regularly audit device configurations and network traffic for unusual activity that could indicate exploitation attempts. Finally, implement endpoint detection and response (EDR) tools capable of identifying anomalous shortcut behavior or unauthorized Internet communications.