CVE-2015-5849

Vulnerability

The filtering implementation in AppleEvents in Apple OS X before 10.11 (i.e., versions prior to El Capitan) mishandles attempts to send events to a different user. This flaw resides in the inter-user event delivery mechanism within the AppleEvents subsystem, which is used for inter-process communication (IPC) and automation. No special configuration is required beyond the presence of a screen-sharing connection.

Exploitation

An attacker must have established a screen-sharing connection to the target Mac. No further authentication or additional network privileges are needed beyond that connection. The attacker can leverage this position to send crafted AppleEvents to a different user on the same system, bypassing the intended access controls that should prevent cross-user event delivery.

Impact

Successful exploitation enables the attacker to bypass access restrictions that normally segregate user sessions. This could lead to unauthorized actions in the context of another user, potentially allowing information disclosure, privilege escalation, or other malicious operations depending on the target user's privileges and the capabilities exposed via AppleEvents. The exact CIA impact is limited by what AppleEvents can accomplish on the receiving user's session.

Mitigation

Apple addressed this issue in OS X El Capitan v10.11, released on September 30, 2015, as documented in security advisory HT205267 [1]. Users should upgrade to OS X 10.11 or later. No workaround is available, and older unsupported versions remain vulnerable. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the available references.