CVE-2025-66004
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: SUSE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | usbmuxd | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-35 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Path Traversal issue in the usbmuxd service that allows local users to escalate their privileges to the service user. It affects versions of usbmuxd before the commit 3ded00c9985a5108cfc7591a309f9a23d57a8cba.
How can this vulnerability impact me? :
The vulnerability can allow a local user to escalate their privileges to those of the usbmuxd service user, potentially enabling unauthorized actions or access within the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable usbmuxd daemon version (before commit 3ded00c9985a5108cfc7591a309f9a23d57a8cba) and by monitoring the world-writable UNIX socket at /var/run/usbmuxd for suspicious SavePairRecord messages containing path traversal payloads. You can check the usbmuxd version by running commands like `usbmuxd -V` or inspecting the package version installed. Additionally, monitoring or auditing the /var/run/usbmuxd socket for unexpected write operations or unusual plist files being created or modified with relative paths could indicate exploitation attempts. Specific commands might include: `ls -l /var/run/usbmuxd` to verify socket permissions, `ps aux | grep usbmuxd` to check running daemon version, and using audit tools like `auditctl` to watch file operations on relevant plist files. However, no explicit detection commands or scripts are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating usbmuxd to a version that includes the fix (commit 3ded00c9985a5108cfc7591a309f9a23d57a8cba or later) where the pair_record_id input is sanitized and validated to prevent path traversal. Additionally, reconsider the security implications of having a world-writable UNIX socket at /var/run/usbmuxd by restricting its permissions to prevent unprivileged users from sending malicious messages. If an update is not immediately available, temporarily restricting access to the socket or disabling the usbmuxd service until patched can reduce risk. [1]