CVE-2024-54490 is a vulnerability identified in Apple macOS that allows a local attacker to gain unauthorized access to a user's Keychain items. The Keychain is a secure storage system used by macOS to store sensitive information such as passwords, certificates, and cryptographic keys. The root cause of this vulnerability is the lack of hardened runtime enforcement, which is a security feature designed to restrict the capabilities of processes and prevent unauthorized access to sensitive resources. By exploiting this weakness, an attacker with local access and low privileges can bypass protections and extract confidential Keychain data without requiring user interaction. This vulnerability was addressed by Apple in macOS Sequoia 15.2, where hardened runtime protections were enabled to prevent such unauthorized access. The vulnerability is classified under CWE-346, which relates to insufficient authorization. The CVSS v3.1 base score is 5.5, indicating a medium severity level, with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality (C:H) but no impact on integrity (I:N) or availability (A:N). No public exploits have been reported to date, but the vulnerability poses a significant risk to the confidentiality of sensitive credentials stored in the Keychain.

The primary impact of CVE-2024-54490 is the compromise of confidentiality for users' sensitive credentials stored in the macOS Keychain. This can lead to unauthorized access to various services and accounts if attackers extract passwords, tokens, or cryptographic keys. Organizations relying on macOS devices for secure authentication, encrypted communications, or sensitive data storage may face increased risk of credential theft and subsequent lateral movement within networks. Although the vulnerability requires local access and low privileges, it can be exploited by malicious insiders or attackers who gain initial foothold on a device. The lack of impact on integrity and availability limits the scope to data exposure rather than system disruption or data manipulation. However, the exposure of credentials can facilitate further attacks, including privilege escalation and data exfiltration. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure. The medium severity rating reflects the balance between the attack complexity and the potential damage from credential compromise.

To mitigate CVE-2024-54490, organizations and users should promptly update affected macOS systems to version Sequoia 15.2 or later, where the hardened runtime protections are enabled to prevent unauthorized Keychain access. Beyond patching, organizations should implement strict local access controls and limit user privileges to reduce the risk of exploitation by local attackers. Employing endpoint detection and response (EDR) solutions can help detect suspicious local activity indicative of attempts to access Keychain data. Regular audits of user accounts and device access logs can identify potential insider threats. Additionally, enabling full disk encryption and using multi-factor authentication (MFA) for critical services can reduce the impact of credential compromise. Security teams should monitor for any emerging exploit code or proof-of-concept releases and be prepared to apply additional mitigations or containment measures if needed. Finally, educating users about the risks of local malware and enforcing strong physical security controls on devices can further reduce exposure.