PT SWARM expert Egor Filatov found a critical vulnerability in Shortcuts, a built-in macOS app that streamlines device management by automating repetitive user actions. If successfully exploited, the security flaw could allow an attacker to gain full control over the device, including the ability to read, edit, and delete any data. If the compromised device happens to be a laptop connected to a corporate network, the attacker could also infiltrate the internal company infrastructure.
The vulnerability, tracked as BDU:2025-02497 and rated 8.6 out of 10 on the CVSS 3.0 scale, affects Shortcuts 7.0 (2607.1.3). The vendor was notified of the threat in line with the responsible disclosure policy and has already released a software patch. Users are advised to upgrade to macOS Sequoia 15.5 or later. If updating the OS is currently not possible, Positive Technologies recommends users to pay close attention to the downloaded shortcuts before running them or avoid using them altogether.
The Shortcuts app was introduced with macOS Monterey back in 2021 and has been supported in macOS Ventura, Sonoma, and Sequoia versions over the past four years. With the app, users can create shortcuts to automate various tasks, such as starting a timer, playing music, or converting text to audio. Users also have access to macros[1] that provide ready-made shortcuts. A threat actor could leverage this functionality by uploading infected templates to the library. For the security flaw to be exploited, it would be enough for the victim to inadvertently run a malicious macro on their device.
“An attacker could exploit this vulnerability to target any Shortcuts user,” said Egor Filatov, Junior Mobile Application Security Researcher at Positive Technologies. “Before remediation, the vulnerability allowed an attacker to bypass macOS security mechanisms and execute arbitrary code on the victim’s system.”
According to the expert, the potential consequences of successful attacks include the following:
- Theft of confidential data or deletion of valuable information
- Malware execution
- Installation of backdoors[2] aimed at maintaining access to the system even after vulnerability patching
- Ransomware[3] infection
- Disruption to the organisation’s business processes (if a corporate device is compromised)
Positive Technologies experts have been studying Apple products for over a decade. In 2018, Maxim Goryachy and Mark Ermolov, while looking for security flaws in Intel Management Engine, found a firmware vulnerability (CVE-2018-4251) affecting personal computers made by Apple and other manufacturers. In 2017, Timur Yunusov warned the community about multiple security gaps he discovered in Apple Pay: by exploiting the vulnerabilities, attackers could compromise users’ bank cards and make unauthorised payments on external resources. Before that, another Positive Technologies researcher found and helped eliminate a critical vulnerability in the apple.com website, which could allow an adversary to conduct a directory traversal attack and gain access to private data.
In addition to the macOS version of Shortcuts, there is also an iOS version of the app for mobile devices. To prevent threat actors from infiltrating the corporate network via vulnerable mobile apps, companies should protect their apps against reverse engineering. This can be done with solutions such as PT MAZE, which turns the application into an impenetrable maze, making attacks too resource-intensive for adversaries.
[1] A macro is a pre-programmed sequence of actions defined by the user.
[2] A backdoor is a type of malware that allows unauthorised access to data or enables remote control of the compromised system. Typically, an attacker installs a backdoor on a target system for future access.
[3] Ransomware is a type of malware that encrypts a victim’s files or locks them out of their computer system, giving the attacker control over any personal information stored on the compromised device. The attacker can then demand a ransom, threatening to leave the files or system inaccessible to the victim or to disclose confidential data if the ransom is not paid.
Discussion about this post