Multiple Vulnerabilities in Apple Products Could Allow for Privilege Escalation

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for privilege escalation. Successful exploitation of the most severe of these vulnerabilities could allow a user to elevate privileges. Depending on the privileges associated with the user, they may be able to modify protected system files. 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for privilege escalation. Details of the vulnerabilities are as follows:

Tactic: Execution (TA0002):

Technique: Exploitation for Client Execution (T1203):

* A user may be able to elevate privileges. (CVE-2026-20631)

* A remote user may be able to write arbitrary files. (CVE-2026-20660)

* An app may be able to read arbitrary files as root. (CVE-2026-28889)

* An app may be able to access sensitive user data. (CVE-2026-28877, CVE-2026-28876, CVE-2026-28870, CVE-2026-28824, CVE-2026-28866, CVE-2026-20668, CVE-2026-28839, CVE-2026-28831, CVE-2026-28818, CVE-2026-20697, CVE-2026-28828, CVE-2026-20651, CVE-2026-28881, CVE-2026-20632, CVE-2026-28820, CVE-2026-28837)

* An issue existed in curl which may result in unintentionally sending sensitive information via an incorrect connection. (CVE-2025-14524)

* An app may be able to leak sensitive kernel state. (CVE-2026-28867)

* An app may be able to modify protected parts of the file system. (CVE-2026-28892, CVE-2026-28829, CVE-2026-28825)

* An app may be able to gain elevated privileges. (CVE-2026-28821)

* An app may be able to gain root privileges. (CVE-2026-28888)

* An app may be able to determine kernel memory layout. (CVE-2026-20695)

* An app may be able to access protected user data. (CVE-2026-20607, CVE-2026-28845)

Additional lower severity vulnerabilities include:

* An app may be able to cause unexpected system termination. (CVE-2026-28890, CVE-2026-20637, CVE-2026-28834)

* Processing maliciously crafted web content may prevent Content Security Policy from being enforced. (CVE-2026-20665)

* Processing maliciously crafted web content may bypass Same Origin Policy. (CVE-2026-20643)

* Visiting a maliciously crafted website may lead to a cross-site scripting attack. (CVE-2026-28871)

* Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2026-20664, CVE-2026-28857, CVE-2026-28879)

* A malicious website may be able to access script message handlers intended for other origins. (CVE-2026-28861)

* A malicious website may be able to process restricted web content outside the sandbox. (CVE-2026-28859)

* A maliciously crafted webpage may be able to fingerprint the user. (CVE-2026-20691)

* An attacker in a privileged network position may be able to intercept network traffic. (CVE-2026-28865)

* An attacker may be able to cause unexpected app termination. (CVE-2026-28822)

* Processing an audio stream in a maliciously crafted media file may terminate the process. (CVE-2026-20690)

* A user in a privileged network position may be able to cause a denial-of-service. (CVE-2026-28886)

* An app may be able to enumerate a user's installed apps. (CVE-2026-28878, CVE-2026-28880, CVE-2026-28833, CVE-2026-28882)

* Processing a maliciously crafted file may lead to unexpected app termination. (CVE-2025-64505)

* An app may be able to disclose kernel memory. (CVE-2026-28868, CVE-2026-28832)

* An app may be able to cause unexpected system termination or corrupt kernel memory. (CVE-2026-20698)

* An app may be able to break out of its sandbox. (CVE-2026-20688, CVE-2026-28838, CVE-2026-28891, CVE-2026-28827)

* An app may be able to fingerprint the user. (CVE-2026-28863)

* A local attacker may gain access to user's Keychain items. (CVE-2026-28864)

* An attacker with physical access to a locked device may be able to view sensitive user information. (CVE-2026-28856)

* An app may be able to cause a denial-of-service. (CVE-2026-28852)

* An app may be able to cause unexpected system termination or write kernel memory. (CVE-2026-20687)

* Multiple issues in Apache. (CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)

* An app may be able to access user-sensitive data. (CVE-2026-20699, CVE-2026-20633, CVE-2026-20694, CVE-2026-28862)

* A remote attacker may be able to cause a denial-of-service. (CVE-2026-28894, CVE-2026-28875)

* Processing a maliciously crafted string may lead to heap corruption. (CVE-2026-20639)

* "Hide IP Address" and "Block All Remote Content" may not apply to all mail content. (CVE-2026-20692)

* An app may be able to connect to a network share without user consent. (CVE-2026-20701)

* An app may be able to delete files for which it does not have permission. (CVE-2026-28816)

* An attacker with root privileges may be able to delete protected system files. (CVE-2026-20693)

* A sandboxed process may be able to circumvent sandbox restrictions. (CVE-2026-28817)

* Mounting a maliciously crafted SMB network share may lead to system termination. (CVE-2026-28835)

* Parsing a maliciously crafted file may lead to an unexpected app termination. (CVE-2026-20657)

* An app with root privileges may be able to delete protected system files. (CVE-2026-28823)

* An app may bypass Gatekeeper checks. (CVE-2026-20684)

* A document may be written to a temporary file when using print preview. (CVE-2026-28893)

* A buffer overflow may result in memory corruption and unexpected app termination. (CVE-2026-28842, CVE-2026-28841)

* A malicious app may be able to break out of its sandbox. (CVE-2026-28826)

* An attacker may gain access to protected parts of the file system. (CVE-2026-28844)

* A user with physical access to an iOS device may be able to bypass Activation Lock. (CVE-2025-43534)

* A remote attacker may be able to view leaked DNS queries with Private Relay turned on. (CVE-2025-43376)

* An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode. (CVE-2026-28895)

* A remote attacker may cause an unexpected app termination. (CVE-2026-28874)

* A remote user may be able to cause unexpected system termination or corrupt kernel memory. (CVE-2026-28858)

Successful exploitation of the most severe of these vulnerabilities could allow a user to elevate privileges. Depending on the privileges associated with the user, they may be able to modify protected system files.

We recommend the following actions be taken:

* Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: Update Software) 

o Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

o Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.

o Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.

o Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

o Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

o Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

o Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

o Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

* Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management) 

o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.

o Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

* Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning) 

o Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

* Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation) 

o Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.

* Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection) 

o Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.