CVE-2024-44128 is a vulnerability in Apple macOS related to the Automator Quick Action workflows, which are user-created or pre-built automation scripts designed to streamline tasks. The flaw allows these workflows to bypass Gatekeeper, macOS's built-in security feature that restricts the execution of untrusted or unsigned software to protect users from malware. Normally, Gatekeeper prompts users for consent before running potentially unsafe code. However, due to this vulnerability, certain Automator Quick Action workflows can execute without triggering the expected user consent prompt, effectively circumventing this security control. The vulnerability is classified under CWE-841 (Improper Enforcement of Behavioral Workflow), indicating a failure to enforce proper security checks during workflow execution. The CVSS 3.1 base score is 5.5 (medium), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). This means an attacker with local access and low privileges can exploit the flaw without user interaction to alter system integrity, such as executing unauthorized code or modifying system behavior. The issue affects macOS versions prior to Ventura 13.7, Sonoma 14.7, and Sequoia 15, where Apple has addressed it by adding an additional prompt for user consent to prevent silent bypass. There are no known exploits in the wild at the time of publication, but the vulnerability presents a risk especially in environments where local access is possible or where malicious insiders or compromised accounts exist.

For European organizations, the primary impact of CVE-2024-44128 lies in the potential for unauthorized code execution or modification of system behavior on macOS devices. Since the vulnerability allows bypassing Gatekeeper without user interaction, attackers with local access or low-level privileges could escalate their capabilities, potentially leading to persistence mechanisms or lateral movement within networks. This poses a risk to the integrity of systems, especially in sectors that rely heavily on macOS devices such as creative industries, software development firms, and certain governmental or educational institutions. Confidentiality and availability are not directly impacted, but integrity compromise can lead to further attacks or data manipulation. The lack of requirement for user interaction increases the risk in environments where automated workflows are common. Organizations using older macOS versions without the patch are vulnerable. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as threat actors may develop exploits over time. Failure to patch could lead to targeted attacks or insider threats exploiting this vulnerability.

European organizations should prioritize updating macOS devices to versions Ventura 13.7, Sonoma 14.7, Sequoia 15, or later, where the vulnerability is fixed. For environments where immediate patching is not feasible, restrict local access to macOS systems to trusted personnel only and monitor for unusual Automator Quick Action workflows or unexpected execution patterns. Implement endpoint detection and response (EDR) solutions capable of detecting anomalous script execution or workflow activity. Educate users and administrators about the risks of running untrusted Automator workflows and enforce policies limiting the creation or execution of such workflows. Employ application whitelisting to restrict unauthorized automation scripts. Regularly audit macOS systems for unauthorized modifications and review security logs for suspicious activity. Consider deploying macOS security configurations that enforce stricter Gatekeeper policies and monitor for bypass attempts. Finally, maintain a robust incident response plan to quickly address any exploitation attempts.