CVE-2025-24204 is a vulnerability that allows reading any process memory on SIP-enabled macOS systems. The root cause of this vulnerability stems from adding an excessively powerful entitlement (com.apple.system-task-ports.read) to the gcore binary. Exploiting this vulnerability enables:
- Dumping login keychain without user plaintext login password
- Bypassing TCC and accessing sensitive information
- Decrypting FairPlay-encrypted iOS apps on Apple Silicon Macs
Koh M. Nakagawa (@tsunek0h). © FFRI Security, Inc. 2025