Apple has released an urgent security update for macOS Sequoia, version 15.5, patching eight serious vulnerabilities affecting user data privacy.
The company confirmed in a May 2025 security advisory that the flaws existed across key system components including Apple Intelligence Reports, Core Bluetooth, Finder, and the Transparency, Consent, and Control (TCC) framework.
The most critical flaw, tracked as CVE-2025-31260, was discovered in Apple Intelligence Reports. It allowed unauthorized apps to access sensitive user information due to improper permission handling. This flaw was discovered by Thomas Völkl of TU Darmstadt.
Another high-risk issue, CVE-2025-31212, resided in Core Bluetooth. Identified by developer Guilherme Rambo, the vulnerability allowed private data exposure due to faulty state management.
Apple also patched vulnerabilities in Notification Center (CVE-2025-24142) and StoreKit (CVE-2025-31242), where sensitive log data could inadvertently be revealed. This could have led to unintended disclosure of personal information.
A logic flaw in the macOS Sandbox component (CVE-2025-31249) allowed applications to bypass isolation protocols, giving them access to data beyond their scope.
The TCC framework (CVE-2025-31250) had a separate privacy flaw where weak enforcement of privacy checks could lead to data leaks.
While Apple stated there is no evidence of active exploitation, security researchers stress that the number and scope of these vulnerabilities highlight the complexity of maintaining privacy in evolving operating systems.
Experts warn that unpatched systems present a large attack surface that malicious actors can exploit to harvest sensitive information, including personal identifiers, usage patterns, and communications.
The full list of addressed vulnerabilities includes:
| CVE Identifier | Component | Description |
|---|---|---|
| CVE-2025-31260 | Apple Intelligence Reports | Unauthorized data access due to permission flaw |
| CVE-2025-31212 | Core Bluetooth | Improper state management exposing user data |
| CVE-2025-24142 | Notification Center | Log entries revealing sensitive information |
| CVE-2025-31242 | StoreKit | Privacy leak through log exposure |
| CVE-2025-31249 | Sandbox | Logic flaw bypassing app isolation |
| CVE-2025-31250 | TCC | Information disclosure due to weak privacy enforcement |
Apple strongly recommends that all users of macOS Sequoia install the 15.5 update immediately. The update is available via System Settings > General > Software Update.
About Author
