CVE-2025-64723

MEDIUM EPSS 1.3%
Published Dec 18, 20256mo ago · Modified Jun 17, 20262w ago
4.8 CVSS 4.0
Medium
Find Similar
Published Dec 18, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago

Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.

CVSS Details

Base Score
4.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
1.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-276

Affected Products 2

VendorProductVersionRange
arduinoarduino_ide* <2.3.7
applemacos*any

References 5

  • github.com https://github.com/arduino/arduino-ide/commit/1fa0fd31c8d6b62f19332e33713a8c5b0f4ed6f9
    Patch
  • github.com https://github.com/arduino/arduino-ide/pull/2805
    Issue Tracking
  • github.com https://github.com/arduino/arduino-ide/releases/tag/2.3.7
    ProductRelease Notes
  • github.com https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj
    PatchVendor Advisory
  • support.arduino.cc https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities
    Vendor Advisory

Remediation

  • github.com https://github.com/arduino/arduino-ide/commit/1fa0fd31c8d6b62f19332e33713a8c5b0f4ed6f9
    Patch
  • github.com https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj
    PatchVendor Advisory