A critical sandbox escape vulnerability was discovered in multiple Apple operating systems, tracked as CVE-2025-31191. The flaw resides in the security-scoped bookmarks mechanism, which is intended to grant sandboxed applications persistent, user-approved access to files outside their containers. By exploiting a weak keychain protection model, a malicious process running inside any vulnerable sandboxed app can delete the legitimate signing secret for the ScopedBookmarkAgent and replace it with an attacker-controlled key. With the new key in place, the attacker can generate forged bookmarks for arbitrary files, inject them into the securebookmarks.plist, and bypass App Sandbox restrictions without additional user consent. This chain of actions enables unauthorized access to sensitive user data, including private documents and potentially system files, elevating privileges and paving the way for further exploitation. The proof-of-concept demonstrated by Microsoft showed an Office macro delivering the exploit, but any sandboxed app on macOS Ventura, Sequoia, Sonoma, iOS, iPadOS, or tvOS is at risk. Apple has released patches that improve state management to prevent key deletion and replacement, and users are urged to update immediately. Organizations leveraging Microsoft Defender for Endpoint can detect suspicious keychain manipulations related to this attack vector.
Source: https://cybersecuritynews.com/macos-sandbox-escape-vulnerability/
TPRM report: https://scoringcyber.rankiteo.com/company/apple
"id": "app300050225",
"linkid": "apple",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
'name': 'Apple',
'type': 'Organization'}],
'attack_vector': ['Office macro', 'Sandboxed app'],
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive user data, private '
'documents, potentially system '
'files'},
'description': 'A critical sandbox escape vulnerability was discovered in '
'multiple Apple operating systems, tracked as CVE-2025-31191. '
'The flaw resides in the security-scoped bookmarks mechanism, '
'which is intended to grant sandboxed applications persistent, '
'user-approved access to files outside their containers. By '
'exploiting a weak keychain protection model, a malicious '
'process running inside any vulnerable sandboxed app can '
'delete the legitimate signing secret for the '
'ScopedBookmarkAgent and replace it with an '
'attacker-controlled key. With the new key in place, the '
'attacker can generate forged bookmarks for arbitrary files, '
'inject them into the securebookmarks.plist, and bypass App '
'Sandbox restrictions without additional user consent. This '
'chain of actions enables unauthorized access to sensitive '
'user data, including private documents and potentially system '
'files, elevating privileges and paving the way for further '
'exploitation. The proof-of-concept demonstrated by Microsoft '
'showed an Office macro delivering the exploit, but any '
'sandboxed app on macOS Ventura, Sequoia, Sonoma, iOS, iPadOS, '
'or tvOS is at risk. Apple has released patches that improve '
'state management to prevent key deletion and replacement, and '
'users are urged to update immediately. Organizations '
'leveraging Microsoft Defender for Endpoint can detect '
'suspicious keychain manipulations related to this attack '
'vector.',
'impact': {'data_compromised': 'Sensitive user data, private documents, '
'potentially system files',
'systems_affected': ['macOS Ventura',
'Sequoia',
'Sonoma',
'iOS',
'iPadOS',
'tvOS']},
'initial_access_broker': {'entry_point': 'Sandboxed app'},
'motivation': 'Unauthorized access to sensitive user data, privilege '
'escalation',
'post_incident_analysis': {'corrective_actions': 'Patches released by Apple '
'to improve state management',
'root_causes': 'Weak keychain protection model'},
'recommendations': 'Update to the latest patches released by Apple, use '
'Microsoft Defender for Endpoint for detection',
'response': {'enhanced_monitoring': 'Organizations leveraging Microsoft '
'Defender for Endpoint can detect '
'suspicious keychain manipulations',
'remediation_measures': 'Users urged to update immediately, '
'patches released by Apple'},
'title': 'CVE-2025-31191 Sandbox Escape Vulnerability in Apple Operating '
'Systems',
'type': 'Sandbox Escape Vulnerability',
'vulnerability_exploited': 'CVE-2025-31191'}