CVE-2025-64723
Unknown Unknown - Not Provided
macOS Entitlement Bypass in Arduino IDE Allows TCC Access

Publication date: 2025-12-18

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64723
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
arduino arduino_ide to 2.3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Arduino IDE for macOS (up to version 2.3.6) is caused by overly permissive security entitlements that bypass macOS Hardened Runtime protections. This allows attackers with local low-privilege access to inject malicious dynamic libraries into the Arduino IDE process. As a result, attackers can gain access to all Transparency, Consent, and Control (TCC) permissions granted to the application, potentially compromising confidentiality and integrity within the system. The issue is fixed in version 2.3.7 by correcting the entitlements to prevent such dynamic library injection. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker with local low-privilege access to inject malicious code into the Arduino IDE process, gaining access to all TCC permissions granted to the application. This can lead to unauthorized access to sensitive data or system components controlled by these permissions, resulting in low confidentiality and integrity loss. There is no impact on system availability. The exploitation requires no user interaction and has low complexity. [1]

Detection Guidance

This vulnerability can be detected by checking the version of the Arduino IDE installed on macOS systems. Versions prior to 2.3.7 are vulnerable. Additionally, inspecting the security entitlements of the Arduino IDE application for overly permissive settings that allow dynamic library injection can help detect the issue. Specific commands to check the version include running `arduino --version` or checking the application info. To inspect entitlements, you can use the macOS command `codesign -d --entitlements :- /path/to/Arduino.app`. Look for entitlements that bypass Hardened Runtime protections or allow dynamic library injection. [1]

Mitigation Strategies

The immediate mitigation step is to update the Arduino IDE on macOS to version 2.3.7 or later, where the security entitlements have been corrected to prevent dynamic library injection and Hardened Runtime bypass. Until the update can be applied, restrict local access to the system to trusted users only, as exploitation requires local access with low privileges. [1]

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart