CVE-2025-43523

Vulnerability

Overview A permissions issue in macOS was addressed with additional restrictions. The vulnerability allows an app to access sensitive payment tokens, as described in the vendor security advisories for macOS Sequoia 15.7.3 and macOS Tahoe 26.2. The root cause is a missing or insufficient permission check, which could be bypassed by a malicious application. [1]

Attack

Vector and Prerequisites Exploitation requires a macOS system that has not been updated to the patched versions. An attacker must either trick the user into installing a malicious app or gain code execution through other means. No additional authentication is needed once the app is running on the user's system under the user's privileges. [1][2]

Impact

A successful exploit could allow an app to access sensitive user data, specifically payment tokens that might be stored on the system. This could lead to unauthorized transactions or identity theft. The CVSS v3 base score is 5.5 (Medium), reflecting the need for local access and user interaction. [2]

Mitigation

Apple has released macOS Sequoia 15.7.3 and macOS Tahoe 26.2, which contain the fix for this issue. Users are advised to update their systems via Software Update or Apple's support pages. No workarounds have been published. [1][2]