macOS Sandbox Escape Vulnerability Allows Keychain Deletion and Replacement

A security vulnerability in macOS has been discovered. It allows malicious actors to escape the App Sandbox protection by manipulating security-scoped bookmarks. 

Tracked as CVE-2025-31191, this vulnerability enables a threat actor to delete and replace a keychain entry critical for authenticating file access, effectively breaking one of macOS’s core security boundaries

macOS Sandbox Escape Vulnerability

The vulnerability centers on the security-scoped bookmarks system, a feature designed to allow sandboxed applications persistent access to user-selected files. 

According to Microsoft’s detailed analysis, attackers can exploit a critical flaw in how macOS manages these bookmarks.

Security-scoped bookmarks work by generating cryptographically signed capability tokens that encode persistent user-granted access to files outside an application’s container. 

These bookmarks are normally protected by HMAC-SHA256 authentication, with keys derived uniquely for each application as HMAC-SHA256(secret, [bundle-id]).

The exploit takes advantage of a subtle weakness in the keychain protection mechanism. 

While Apple correctly restricted reading access to the com.apple.scopedbookmarksagent.xpc keychain item through strict Access Control Lists (ACL), researchers discovered the protection did not prevent deletion or replacement of the item.

“A malicious process running within a sandboxed app context could delete the legitimate signing secret used by the ScopedBookmarkAgent,” explains the detailed vulnerability report. 

After deletion, attackers can insert a new secret with a known value and attach a permissive ACL that allows broader access.

With the compromised signing key, attackers can:

• Calculate the cryptographic signing key for any application using its bundle ID.
• Craft malicious bookmarks for arbitrary files.
• Inject these forged bookmarks into the securebookmarks.plist file.

When the application attempts to access files using these bookmarks, the ScopedBookmarkAgent validates the forged credentials and grants access without additional user consent.

This effectively bypasses the sandbox’s boundaries, allowing access to sensitive system files and potential for further exploitation.

The proof-of-concept demonstrated by Microsoft shows how a malicious Office macro could implement this attack chain, though the vulnerability affects any sandboxed app using security-scoped bookmarks.

Affected Systems and Mitigation

This vulnerability affects multiple Apple operating systems, including macOS Ventura, macOS Sequoia, macOS Sonoma, tvOS, iOS, and iPadOS. 

The exploit enables unauthorized access to sensitive user data and potentially allows for arbitrary code execution with elevated privileges.

Apple has addressed the vulnerability “through improved state management” in security updates released for affected systems. Users are strongly encouraged to apply these updates immediately:

• macOS Sequoia 15.4.
• macOS Sonoma 14.7.5.
• macOS Ventura 13.7.5.
• iOS 18.4 and iPadOS 18.4.
• tvOS 18.4.

Microsoft Defender for Endpoint can detect suspicious keychain manipulation attempts related to this exploit, adding an additional layer of protection for organizations using the security solution.

Jonathan Bar Or from Microsoft Threat Intelligence emphasized the importance of cross-industry collaboration in identifying and addressing such security issues. 

This case highlights how sophisticated attackers continue to find ways to circumvent sandbox protections, reinforcing the need for prompt security updates and comprehensive endpoint security solutions.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.

The post macOS Sandbox Escape Vulnerability Allows Keychain Deletion and Replacement appeared first on Cyber Security News.