What is the most critical macOS SMBClient vulnerability?

CVE-2025-24269 with a CVSS score of 9.8 is the most critical vulnerability. It involves missing validation of the compress_len field from network packets during SMB2 chained compression processing, allowing a malicious SMB server to send crafted packets that can cause remote code execution in kernel context.

Who discovered these macOS SMBClient vulnerabilities?

The vulnerabilities were discovered by security researchers from Supernetworks, who identified three separate flaws affecting different aspects of macOS SMB functionality including compression processing, authentication, and permission validation.

What are the specific CVE numbers and severity scores for these macOS vulnerabilities?

Two CVE numbers have been assigned: CVE-2025-24269 (CVSS score 9.8) for the SMB2 compression processing vulnerability, and CVE-2025-24235 (CVSS score 5.5) for the Kerberos Helper library authentication flaw. A third vulnerability affecting the smbfs kernel module has not been assigned a CVE number yet.

How does the CVE-2025-24269 vulnerability work technically?

CVE-2025-24269 involves missing validation of the compress_len field from network packets during SMB2 chained compression processing. A malicious SMB server can send crafted packets with unchecked compress_len values, causing buffer overflows that lead to remote code execution in kernel context with the highest system privileges.

What is CVE-2025-24235 and how can it be exploited?

CVE-2025-24235 (CVSS score 5.5) is a flaw in the Kerberos Helper library used during SMB authentication. A malicious SMB server can trigger authentication failure causing control flow to jump to the vulnerable library, potentially resulting in remote code execution during the authentication process.

What is the third macOS SMBClient vulnerability without a CVE number?

The third vulnerability involves missing permission validation in the smbfs kernel module and can cause local denial of service through unauthorized process termination. While it doesn't have a CVE number assigned yet, it still represents a security risk that could be exploited to disrupt system operations.

Why are SMB vulnerabilities particularly important for macOS security?

Starting with macOS Big Sur, SMB has become the preferred file sharing protocol in macOS, making it a relevant attack surface in macOS deployments. The widespread use of SMB for file sharing means these vulnerabilities could affect many macOS users and enterprise environments.

What should macOS users do to protect themselves from these SMBClient vulnerabilities?

Users should immediately update to macOS Sequoia 15.4 or later, review SMB network configurations to minimize exposure, disable SMB services if not required, and exercise caution when following smb:// links from untrusted sources until patches are applied.

Can these macOS vulnerabilities be exploited remotely?

Yes, both CVE-2025-24269 and CVE-2025-24235 can be exploited remotely by malicious SMB servers. Attackers can set up rogue SMB servers or compromise legitimate ones to send malicious packets that exploit these vulnerabilities with minimal user interaction required.

What privileges can attackers gain through the critical macOS SMBClient vulnerability?

CVE-2025-24269 enables remote code execution in kernel context, which means attackers can gain the highest level of system privileges. This could allow complete system compromise, installation of malware, data theft, and full control over the affected macOS system.

How can organizations protect their macOS deployments from these SMB vulnerabilities?

Organizations should prioritize deployment of macOS Sequoia 15.4, conduct security audits of SMB network configurations, implement network segmentation to limit SMB traffic exposure, disable unnecessary SMB services, and educate users about the risks of clicking untrusted smb:// links.

What makes CVE-2025-24269 particularly dangerous for enterprise environments?

CVE-2025-24269 is particularly dangerous because it has a CVSS score of 9.8, enables kernel-level code execution, can be triggered by malicious SMB servers with minimal user interaction, and affects the widely-used SMB file sharing protocol that's essential in many enterprise environments for network file access.

Are there any workarounds for these macOS SMBClient vulnerabilities?

While updating to macOS Sequoia 15.4 is the recommended solution, temporary workarounds include disabling SMB client services if not needed, implementing network-level filtering to block untrusted SMB traffic, avoiding smb:// links from unknown sources, and using alternative file sharing protocols where possible.

How do these vulnerabilities affect macOS versions prior to Big Sur?

While SMB became the preferred file sharing protocol starting with macOS Big Sur, earlier macOS versions that support SMB functionality may also be vulnerable. Users on older macOS versions should check for available security updates and consider upgrading to supported versions that include these security fixes.

What should IT administrators monitor for regarding these macOS SMB vulnerabilities?

IT administrators should monitor for suspicious SMB traffic, unusual authentication failures, unexpected system crashes or reboots, unauthorized process terminations, network connections to unknown SMB servers, and ensure all macOS systems are updated to version 15.4 or later to prevent exploitation.

How do these macOS vulnerabilities compare to other recent Apple security issues?

With a critical CVSS score of 9.8 for CVE-2025-24269, these SMBClient vulnerabilities represent some of the most serious security issues affecting macOS in recent years. The ability to achieve kernel-level code execution through network-based attacks makes this particularly significant for enterprise security.

What network security measures can help mitigate these macOS SMB vulnerabilities?

Network security measures include implementing firewall rules to restrict SMB traffic to trusted networks, using network segmentation to isolate SMB services, deploying intrusion detection systems to monitor for malicious SMB traffic patterns, and implementing network access controls to prevent connections to untrusted SMB servers.

Why is kernel-level code execution particularly concerning in macOS?

Kernel-level code execution in macOS is particularly concerning because it bypasses all user-space security controls, provides complete system access, can disable security features like System Integrity Protection (SIP), allows installation of rootkits and persistent malware, and enables attackers to access sensitive data across all user accounts on the system.

Advisory

Critical macOS SMBClient flaws enable remote code execution

Q: What vulnerabilities were discovered in macOS SMBClient?

Security researchers from Supernetworks discovered three vulnerabilities affecting macOS SMBClient that enable remote code execution, system crashes, and unauthorized process termination with minimal user interaction. These vulnerabilities affect SMB file sharing functionality that became the preferred protocol starting with macOS Big Sur.

Q: Have these macOS SMBClient vulnerabilities been patched?

Yes, Apple has addressed all three vulnerabilities in macOS Sequoia 15.4, which was released on March 31, 2025. The fixes include input validation improvements for the SMB packet processing function to prevent memory overflow conditions.

published: July 8, 2025

Take action: Another reason to update to macOS Sequoia 15.4. In the meantime, disable SMB services if you don't need file sharing, and avoid clicking smb:// links from untrusted sources until you've patched.

Learn More

Security researchers from Supernetworks are reporting three vulnerabilities affecting macOS SMBClient that enable remote code execution, system crashes, and unauthorized process termination with minimal user interaction.

Starting with macOS Big Sur, SMB has become the preferred file sharing protocol, making it a relevant attack surface in macOS deployments.

Vulnerabilities summary

CVE-2025-24269 (CVSS score 9.8) - Missing validation of compress_len field from network packets during SMB2 chained compression processing. A malicious SMB server can send crafted packets with unchecked compress_len values, causing remote code execution in kernel context.
CVE-2025-24235 (CVSS score 5.5) - The flaw is part of the Kerberos Helper library used during SMB authentication. A malicious SMB server can trigger authentication failure causing control flow to jump to the vulnerable library, and cause remote code execution.
(No CVE assigned) - This flaw is a missing permission validation in the smbfs kernel module, and can cause local denial of service through unauthorized process termination.

Apple has addressed all three vulnerabilities in macOS Sequoia 15.4, released on March 31, 2025. The fixes include input validation improvements for the SMB packet processing function to prevent memory overflow conditions.

Organizations should prioritize the deployment of macOS Sequoia 15.4 and review SMB network configurations to minimize exposure. Users should disable SMB services if not required and exercise caution when following smb:// links from untrusted sources until patches are applied.

Critical macOS SMBClient flaws enable remote code execution

Read More
Android patches 40 Vulnerabilities, 4 critical - but …
CISA warns of active exploitation of three years …
VLC Player warns of flaw allowing hackers to …
Spyware exploited vulnerability in Samsung Galaxy devices through …
Most Windows and Linux computers vulnerable to a …