CVE-2024-54490 is a vulnerability in Apple macOS that allows a local attacker with limited privileges (PR:L) to gain unauthorized access to a user's Keychain items, which typically store sensitive credentials such as passwords, certificates, and cryptographic keys. The vulnerability stems from insufficient security enforcement that was mitigated by enabling the hardened runtime feature in macOS Sequoia 15.2. The hardened runtime is a security mechanism that restricts the capabilities of processes to prevent unauthorized access to protected resources. Prior to this fix, an attacker with local access could exploit the weakness to read Keychain data without needing user interaction (UI:N). The CVSS vector indicates the attack complexity is low (AC:L), and the scope remains unchanged (S:U), meaning the vulnerability affects only the local system context. The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No public exploits or active exploitation have been reported, but the vulnerability poses a risk to users who store sensitive information in the Keychain and have local attackers with some access privileges. The vulnerability is tracked under CWE-346, which relates to insufficient authorization. The fix involves enabling the hardened runtime, which enforces stricter runtime protections to prevent unauthorized Keychain access. The affected versions are unspecified, but the fix is included in macOS Sequoia 15.2, so earlier versions remain vulnerable.

For European organizations, this vulnerability poses a significant confidentiality risk, especially for entities relying heavily on macOS devices for storing sensitive credentials in the Keychain, such as passwords, private keys, and certificates. If a local attacker gains access—through physical access, compromised user accounts, or malware with limited privileges—they could extract sensitive authentication material, potentially leading to lateral movement, privilege escalation, or data breaches. Sectors such as finance, healthcare, government, and technology firms that use macOS extensively are particularly at risk. The vulnerability does not affect integrity or availability, so direct disruption is unlikely, but the exposure of credentials could facilitate further attacks. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure. Organizations with remote or hybrid work models where devices may be less physically secure should be vigilant. The medium severity rating reflects the need for timely patching to prevent potential exploitation.

European organizations should prioritize upgrading all macOS devices to macOS Sequoia 15.2 or later, where the hardened runtime is enabled by default, mitigating this vulnerability. For environments where immediate upgrade is not feasible, organizations should enforce strict local access controls, including limiting physical access to devices and restricting user privileges to the minimum necessary. Implement endpoint detection and response (EDR) solutions capable of detecting suspicious local activity that attempts to access Keychain items. Regularly audit user accounts and permissions to prevent unauthorized local access. Employ disk encryption (FileVault) to protect data at rest, reducing risk if devices are stolen. Educate users about the risks of local attacks and the importance of device security. Monitor for unusual authentication or credential access patterns that could indicate exploitation attempts. Finally, maintain an up-to-date asset inventory to ensure all macOS devices are identified and patched promptly.