Detect Apple Multiple Products Classic Buffer Overflow Exploitation (CVE-2025-43520) in Splunk
Detects exploitation attempts targeting CVE-2025-43520, a classic buffer overflow vulnerability (CWE-120) affecting Apple Multiple Products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Buffer overflow exploitation may manifest as abnormal process crashes, memory corruption signals, unexpected child process spawning from Apple system processes, or anomalous network connections following process exploitation.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
SPL Detection Query
index=mac_endpoints sourcetype IN (osquery:differential, jamf:events, crowdstrike:events:macos)
| eval apple_procs=mvappend("Safari", "com.apple.webkit", "coreaudiod", "imagent", "mediaserverd", "avatard", "bluetoothd", "configd", "AppleScript")
| where (event_type="process_crash" AND mvfind(apple_procs, process_name)>=0)
OR (event_type="process_create" AND mvfind(apple_procs, parent_process_name)>=0 AND child_process_name IN ("bash", "sh", "zsh", "python3", "perl", "osascript", "curl", "wget"))
OR (event_type="network_connection" AND mvfind(apple_procs, process_name)>=0 AND dest_port IN (4444, 1337, 31337, 8080, 8443))
| eval risk_signal=case(
event_type="process_crash", "ProcessCrash_PossibleOverflow",
event_type="process_create" AND child_process_name IN ("bash","sh","zsh"), "ShellSpawnedFromAppleProcess",
event_type="network_connection", "SuspiciousNetworkFromAppleProcess",
true(), "Unknown"
)
| stats count by _time, host, user, event_type, process_name, child_process_name, parent_process_name, dest_ip, dest_port, risk_signal
| sort -_timeSplunk query hunting for exploitation indicators of CVE-2025-43520 including Apple process crashes, unexpected shell spawning, and anomalous outbound connections from Apple system processes on macOS endpoints.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Apple system updates causing transient process crashes
- IT automation scripts using AppleScript or osascript for management tasks
- Endpoint security tools initiating network connections from monitored Apple processes
- Development environments where Apple processes launch shell interpreters for legitimate testing
Other platforms for CVE-2025-43520
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Shell Spawn from Apple-Like Parent Process
Expected signal: Process creation event showing osascript spawning bash; command line includes 'id' and 'hostname'.
- Test 2Simulate Suspicious Outbound Network Connection from Apple Process Context
Expected signal: Network connection attempt to port 4444 initiated by process tree rooted at osascript.
- Test 3Generate Apple Process Crash Report for Forensic Artifact Validation
Expected signal: Process crash event for bash with signal SIGSEGV; diagnostic report written to DiagnosticReports directory.
- Test 4Enumerate Persistence Mechanisms Post-Exploitation Simulation
Expected signal: File creation event for .plist file in ~/Library/LaunchAgents/; optional launchctl load event.
References (9)
- https://support.apple.com/en-us/125632
- https://support.apple.com/en-us/125633
- https://support.apple.com/en-us/125634
- https://support.apple.com/en-us/125635
- https://support.apple.com/en-us/125636
- https://support.apple.com/en-us/125637
- https://support.apple.com/en-us/125638
- https://support.apple.com/en-us/125639
- https://nvd.nist.gov/vuln/detail/CVE-2025-43520
Unlock Pro Content
Get the full detection package for CVE-2025-43520 including response playbook, investigation guide, and atomic red team tests.