CVE-2024-54539 is a vulnerability discovered in Apple macOS that allows a malicious application to capture keyboard events even when the system is on the lock screen. The root cause is improper state management within the OS that fails to restrict apps from intercepting keyboard input before user authentication. This can lead to unauthorized capture of sensitive information such as passwords or other confidential keystrokes entered at the lock screen. The vulnerability affects multiple versions of macOS prior to the patched releases: macOS Sequoia 15.2, macOS Sonoma 14.7.2, and macOS Ventura 13.7.2. Exploitation requires the attacker to have local access to the machine and to run a malicious app, which also requires user interaction to some extent. The CVSS v3.1 score is 5.5 (medium severity), with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating local attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, no integrity or availability impact. Apple fixed the issue by improving the state management to prevent apps from capturing keyboard events on the lock screen. No known exploits have been reported in the wild, but the vulnerability poses a risk of credential theft or information leakage if exploited. Organizations using affected macOS versions should apply the updates promptly to mitigate this risk.

The primary impact of CVE-2024-54539 is the potential unauthorized disclosure of sensitive information entered at the lock screen, such as passwords or other confidential keystrokes. This can lead to credential theft, unauthorized access, and subsequent compromise of user accounts or systems. Although the vulnerability does not affect system integrity or availability, the confidentiality breach can have serious consequences, especially in environments where macOS devices are used to access sensitive corporate or government resources. The requirement for local access and user interaction limits the attack scope but does not eliminate risk in scenarios where attackers gain physical or remote access to user machines. Organizations with high-value targets or sensitive data on macOS systems are at increased risk. Failure to patch may enable attackers to bypass lock screen protections and capture input stealthily, undermining user trust and security controls.

To mitigate CVE-2024-54539, organizations should immediately deploy the security updates released by Apple: macOS Sequoia 15.2, macOS Sonoma 14.7.2, and macOS Ventura 13.7.2 or later. Beyond patching, organizations should enforce strict endpoint security policies to prevent installation of unauthorized applications, including the use of application whitelisting and endpoint detection and response (EDR) solutions. Physical security controls should be enhanced to prevent unauthorized local access to devices. User education is important to reduce the risk of running untrusted applications that could exploit this vulnerability. Additionally, enabling FileVault full disk encryption and strong authentication mechanisms can help limit the impact of potential credential exposure. Regular auditing and monitoring for unusual local application behavior or keyboard event capture attempts can provide early detection of exploitation attempts. Finally, organizations should review and restrict user privileges to minimize the ability of malicious apps to execute.