CVE-2022-48575 Overview
CVE-2022-48575 is an authentication bypass vulnerability [CWE-287] affecting Apple macOS. A person with physical access to a Mac may be able to bypass the Login Window screen. Apple addressed the issue through improved state handling, resolving a consistency flaw in how the login session managed authentication state.
The vulnerability requires physical access to the target device and does not require user interaction or prior privileges. Successful exploitation could allow an attacker to bypass authentication controls and access the user session. Apple shipped the fix in macOS Monterey 12.4.
Critical Impact
An attacker with physical access to an affected Mac can bypass the Login Window and reach the desktop session without supplying valid credentials.
Affected Products
- Apple macOS prior to Monterey 12.4
- Apple Mac systems running vulnerable macOS builds
- Login Window authentication component
Discovery Timeline
- 2026-06-10 - CVE-2022-48575 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2022-48575
Vulnerability Analysis
The vulnerability resides in the macOS Login Window, the system component responsible for authenticating users before granting access to a session. Apple's advisory describes the root issue as a consistency problem in state handling. The Login Window failed to maintain a coherent view of authentication state under certain conditions, allowing the session to transition past the authentication gate without verifying credentials.
The weakness maps to CWE-287 (Improper Authentication). Because the attack requires physical proximity to the target device, the exposure is bounded to scenarios involving lost, stolen, or unattended Macs. The impact covers limited confidentiality and integrity loss tied to the contents of the unlocked session.
Root Cause
Apple attributes the flaw to inconsistent state tracking within the Login Window process. When the component evaluated whether a user had completed authentication, it could be coaxed into a state where the gating logic and the session-presentation logic disagreed. Apple resolved the issue by tightening state transitions so that the authentication decision is consistent with the session that is ultimately presented.
Attack Vector
Exploitation requires physical access to the locked Mac. An attacker interacts with the Login Window in a way that drives the component into the inconsistent state, then reaches the user's desktop without entering the account password. No network access, prior account, or social engineering of the legitimate user is required. Technical specifics are not enumerated in Apple's public advisory; see the Apple Support Document 213257 for vendor guidance.
Detection Methods for CVE-2022-48575
Indicators of Compromise
- Unexpected interactive logons on Macs that should be locked or unattended
- Session activity timestamps that do not align with a recorded loginwindow authentication event
- Physical-access anomalies such as devices found unlocked after being left at the Login Window
Detection Strategies
- Correlate loginwindow and securityd events in the unified log to confirm each session start is preceded by a successful credential check
- Alert on user sessions that begin without a corresponding authenticated state transition in authentication subsystem logs
- Track wake-from-sleep and lid-open events followed by session activity without a matching authentication record
Monitoring Recommendations
- Forward macOS endpoint telemetry, including log show authentication events, to a centralized analytics platform for review
- Enable MDM compliance reporting to verify managed Macs are running macOS Monterey 12.4 or later
- Review physical security controls and tamper indicators for endpoints that store sensitive data
How to Mitigate CVE-2022-48575
Immediate Actions Required
- Update affected Macs to macOS Monterey 12.4 or a later supported release that includes the fix
- Inventory endpoints still running pre-12.4 builds and prioritize them for patching
- Enforce FileVault full-disk encryption so that bypassing the Login Window does not yield decrypted data on rebooted systems
Patch Information
Apple released the fix in macOS Monterey 12.4. Refer to Apple Support Document 213257 and Apple Support Document 102871 for the official security content and update instructions. Apply the update through Software Update or via your MDM platform.
Workarounds
- Restrict physical access to Macs through locked offices, cable locks, and clean-desk policies
- Require FileVault encryption to protect data at rest if the Login Window is bypassed
- Configure short screen-lock timeouts and require a password immediately after sleep or screen saver
- Shut down rather than only locking Macs when leaving devices unattended in low-trust environments
# Verify the installed macOS version meets the patched release
sw_vers -productVersion
# Confirm FileVault is enabled for data-at-rest protection
fdesetup status
# Require password immediately after sleep or screen saver
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
