Apple Multiple Products Classic Buffer Overflow Exploitation (CVE-2025-43520)
Detects exploitation attempts targeting CVE-2025-43520, a classic buffer overflow vulnerability (CWE-120) affecting Apple Multiple Products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Buffer overflow exploitation may manifest as abnormal process crashes, memory corruption signals, unexpected child process spawning from Apple system processes, or anomalous network connections following process exploitation.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Apple
- Product
- Multiple Products
Weakness (CWE)
Timeline
- Disclosed
- March 20, 2026
References & Proof of Concept
- https://support.apple.com/en-us/125632
- https://support.apple.com/en-us/125633
- https://support.apple.com/en-us/125634
- https://support.apple.com/en-us/125635
- https://support.apple.com/en-us/125636
- https://support.apple.com/en-us/125637
- https://support.apple.com/en-us/125638
- https://support.apple.com/en-us/125639
- https://nvd.nist.gov/vuln/detail/CVE-2025-43520
CVSS
What is CVE-2025-43520 Apple Multiple Products Classic Buffer Overflow Exploitation (CVE-2025-43520)?
Apple Multiple Products Classic Buffer Overflow Exploitation (CVE-2025-43520) (CVE-2025-43520) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Apple Multiple Products Classic Buffer Overflow Exploitation (CVE-2025-43520), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
let AppleProcesses = dynamic(['com.apple.webkit', 'Safari', 'AppleScript', 'coreaudiod', 'imagent', 'mediaserverd', 'avatard', 'bluetoothd', 'configd']);
union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where TimeGenerated >= ago(7d)
| where DeviceType == 'Mac'
| where (
(ActionType == 'ProcessCrashed' and ProcessVersionInfoProductName has_any (AppleProcesses))
or (ActionType == 'ProcessCreated' and InitiatingProcessFileName has_any (AppleProcesses) and FileName in~ ('bash', 'sh', 'zsh', 'python3', 'perl', 'osascript', 'curl', 'wget'))
or (ActionType == 'NetworkConnectionAccepted' and InitiatingProcessFileName has_any (AppleProcesses) and RemotePort in (4444, 1337, 31337, 8080, 8443))
)
| extend RiskSignal = case(
ActionType == 'ProcessCrashed', 'ProcessCrash_PossibleOverflow',
ActionType == 'ProcessCreated' and FileName in~ ('bash','sh','zsh'), 'ShellSpawnedFromAppleProcess',
ActionType == 'NetworkConnectionAccepted', 'SuspiciousNetworkFromAppleProcess',
'Unknown'
)
| project TimeGenerated, DeviceName, DeviceId, AccountName, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RiskSignalDetects process crashes, unexpected shell spawning, and suspicious network connections from Apple system processes on macOS endpoints, which may indicate buffer overflow exploitation of CVE-2025-43520.
Data Sources
Required Tables
False Positives
- Legitimate Apple software update crashes during patching cycles
- Developer or QA environments running stress tests against Apple frameworks
- Security scanning tools interacting with Apple processes during scheduled scans
- Legitimate shell scripts invoked by AppleScript automation workflows
Sigma rule & cross-platform mapping
The detection logic for Apple Multiple Products Classic Buffer Overflow Exploitation (CVE-2025-43520) (CVE-2025-43520) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-43520
References (9)
- https://support.apple.com/en-us/125632
- https://support.apple.com/en-us/125633
- https://support.apple.com/en-us/125634
- https://support.apple.com/en-us/125635
- https://support.apple.com/en-us/125636
- https://support.apple.com/en-us/125637
- https://support.apple.com/en-us/125638
- https://support.apple.com/en-us/125639
- https://nvd.nist.gov/vuln/detail/CVE-2025-43520
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Shell Spawn from Apple-Like Parent Process
Expected signal: Process creation event showing osascript spawning bash; command line includes 'id' and 'hostname'.
- Test 2Simulate Suspicious Outbound Network Connection from Apple Process Context
Expected signal: Network connection attempt to port 4444 initiated by process tree rooted at osascript.
- Test 3Generate Apple Process Crash Report for Forensic Artifact Validation
Expected signal: Process crash event for bash with signal SIGSEGV; diagnostic report written to DiagnosticReports directory.
- Test 4Enumerate Persistence Mechanisms Post-Exploitation Simulation
Expected signal: File creation event for .plist file in ~/Library/LaunchAgents/; optional launchctl load event.
Unlock Pro Content
Get the full detection package for CVE-2025-43520 including response playbook, investigation guide, and atomic red team tests.