CVE-2014-4498
Description
The CPU Software in Apple OS X before 10.10.2 allows physically proximate attackers to modify firmware during the EFI update process by inserting a Thunderbolt device with crafted code in an Option ROM, aka the "Thunderstrike" issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Thunderstrike vulnerability (CVE-2014-4498) allows an attacker with physical access to modify Apple EFI firmware via a crafted Thunderbolt Option ROM, enabling persistent firmware bootkits on Mac systems.
Vulnerability
CVE-2014-4498, known as Thunderstrike, is a vulnerability in the CPU Software component of Apple OS X before version 10.10.2 [1]. The flaw resides in the EFI update process, where the system fails to properly authenticate Thunderbolt Option ROMs. An attacker can craft a malicious Thunderbolt device that, when connected, bypasses cryptographic signature checks during firmware updates and writes untrusted code to the SPI flash ROM [2]. This affects all Mac systems running OS X Mavericks 10.9.5 and OS X Yosemite before 10.10.2 [1].
Exploitation
An attacker requires physical access to the target Mac and a specially crafted Thunderbolt device containing malicious code in its Option ROM [2]. By connecting the device during the EFI update process, the attacker can flash arbitrary firmware to the system's boot ROM. The attack does not require any user interaction beyond the physical connection. Once the malicious firmware is installed, it can propagate by infecting other Thunderbolt devices connected subsequently, enabling an "evil maid" attack scenario and potential spread across air-gapped systems [2].
Impact
Successful exploitation results in persistent firmware compromise that survives OS reinstallation and hard drive replacement [2]. The attacker gains full control of the system from the very first instruction at boot time. The malicious code operates at the firmware level, below the operating system, and can use SMM (System Management Mode), virtualization, and other techniques to remain hidden from software detection [2]. The attacker can also replace Apple's public RSA key in the ROM, preventing software-based removal attempts unless signed by the attacker's private key. The only recovery method is physical reprogramming of the SPI flash with an in-system-programming device [2].
Mitigation
Apple addressed this vulnerability in OS X Yosemite 10.10.2 and Security Update 2015-001, released on January 27, 2015 [1]. Users should update to OS X 10.10.2 or later to receive the fix. According to Apple's advisory, the security content of the update addresses this CVE, though Apple does not disclose full technical details of the fix [1]. The Thunderstrike 2 variant (CVE-2015-3694) later introduced a no-hardware-required attack vector, which Apple addressed in subsequent updates. Users should ensure all security updates are applied, and physically secure their Macs against unauthorized access, as physical access is required for the initial exploitation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <10.10.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlnvdVendor Advisory
- support.apple.com/HT204244nvdVendor Advisory
- www.securitytracker.com/id/1031650nvd
- trmm.net/Thunderstrikenvd
News mentions
0No linked articles in our index yet.