CVE-2025-43387 is a vulnerability in Apple macOS that stems from a permissions issue allowing a malicious application to escalate privileges to root level. The vulnerability is classified under CWE-863, indicating improper authorization checks. Specifically, a malicious app running with limited privileges (local access with low privileges) can exploit this flaw to gain unrestricted root access, compromising the entire system. The issue was resolved by Apple through additional restrictions implemented in macOS Sequoia 15.7.2 and macOS Tahoe 26.1. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with an attack vector requiring local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), and unchanged scope (S:U). No public exploits are known yet, but the vulnerability poses a significant risk because it allows full system compromise without user interaction once local access is obtained. This makes it particularly dangerous in environments where users may inadvertently run untrusted applications or where attackers have some foothold on the system. The vulnerability affects unspecified macOS versions prior to the fixed releases, so organizations must verify their versions and update accordingly. The root privilege escalation can lead to data theft, system manipulation, installation of persistent malware, and disruption of services.

For European organizations, this vulnerability presents a critical risk especially in sectors with significant macOS usage such as creative agencies, financial institutions, government bodies, and technology companies. The ability for a malicious app to gain root privileges can lead to full system compromise, exposing sensitive data, intellectual property, and critical infrastructure. Attackers could leverage this vulnerability to establish persistent backdoors, manipulate system configurations, or disrupt operations. Given the local access requirement, insider threats or attackers who have already gained limited access could escalate their privileges rapidly. This could also impact organizations relying on macOS for endpoint security or development environments, potentially undermining trust in these systems. The lack of required user interaction increases the risk of automated exploitation once local access is achieved. The vulnerability could also affect supply chain security if compromised developer machines are used to sign or distribute software. Overall, the impact on confidentiality, integrity, and availability is severe, warranting immediate attention from European organizations using affected macOS versions.

1. Immediately update all macOS systems to Sequoia 15.7.2 or Tahoe 26.1 or later versions that include the patch for CVE-2025-43387. 2. Restrict local user permissions to prevent installation or execution of untrusted applications, especially in sensitive environments. 3. Implement application whitelisting to limit which apps can run on macOS endpoints. 4. Monitor systems for unusual privilege escalation attempts or suspicious local activity using endpoint detection and response (EDR) tools. 5. Enforce strict access controls and audit logs to detect and respond to unauthorized privilege escalations. 6. Educate users about the risks of running untrusted software and enforce policies to minimize local attack surface. 7. For organizations using macOS in development or build environments, ensure supply chain security by validating software integrity and restricting developer machine access. 8. Consider network segmentation to limit lateral movement if a macOS device is compromised. 9. Regularly review and update security policies to incorporate lessons learned from this vulnerability and similar privilege escalation risks.