CVE-2025-31277 Elastic Security · Elastic

Detect Apple Multiple Products Buffer Overflow Exploitation (CVE-2025-31277) in Elastic Security

Detects potential exploitation of CVE-2025-31277, a buffer overflow vulnerability (CWE-119) affecting multiple Apple products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation may allow attackers to execute arbitrary code, escalate privileges, or cause denial of service on affected Apple devices and systems.

MITRE ATT&CK

Tactic
Execution Privilege Escalation Defense Evasion

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
  [process where host.os.type in ("macos", "ios") and
   process.name in ("mdmclient", "mobileassetd", "softwareupdated", "nsurlsessiond", "trustd", "accountsd", "apsd", "securityd") and
   event.action in ("process_stopped", "process_error", "crash")]
  [process where host.os.type in ("macos", "ios") and
   process.parent.name in ("mdmclient", "mobileassetd", "softwareupdated", "nsurlsessiond", "trustd", "accountsd", "apsd", "securityd") and
   process.name in ("sh", "bash", "zsh", "python3", "perl", "ruby", "osascript")]
high severity high confidence

EQL sequence rule detecting a two-stage exploitation pattern: an Apple system daemon crash followed within 5 minutes by a child shell or scripting process spawned from the same daemon, indicative of CVE-2025-31277 buffer overflow exploitation.

Data Sources

Elastic AgentmacOS Endpoint Security FrameworkAuditbeat

Required Tables

logs-endpoint.events.process-*auditbeat-*

False Positives & Tuning

  • Automated software update workflows that restart daemons and trigger post-update scripts
  • System integrity protection repairs that restart services and execute validation scripts
  • Enterprise MDM solutions that use daemon context to execute management scripts

Other platforms for CVE-2025-31277

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Apple System Daemon Crash with Non-Zero Exit

    Expected signal: Process crash event for 'trustd' (or mock process) with SIGSEGV signal, non-zero exit code, and EXC_BAD_ACCESS exception type visible in /Library/Logs/DiagnosticReports/ and EDR crash telemetry

  2. Test 2Spawn Shell from Apple Daemon Context (Post-Exploitation Simulation)

    Expected signal: ProcessCreate event showing bash spawning /tmp/daemon_spawn_test.sh, with subsequent child processes for whoami, uname, id, and ls commands — EDR should record full process ancestry and command lines

  3. Test 3Generate Crash Report Artifact for Apple Daemon

    Expected signal: File creation event in ~/Library/Logs/DiagnosticReports/ for trustd crash file; log collection agents (Elastic Agent, CrowdStrike) should ingest the .crash file and surface EXC_BAD_ACCESS exception type in SIEM

Last updated: 2026-06-19 Research depth: standard
References (6)

Unlock Pro Content

Get the full detection package for CVE-2025-31277 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1499Endpoint Denial of Service

Same Tactic: Execution

Popular Detections