CVE-2024-44165 Overview
CVE-2024-44165 is a logic flaw in Apple operating systems that allows network traffic to leak outside an active VPN tunnel. Apple addressed the issue with improved checks across iOS, iPadOS, macOS, and visionOS. The vulnerability is exploitable over the network without authentication or user interaction, and it can expose data that users expect to be encapsulated within the VPN. Apple resolved the issue in iOS 17.7, iPadOS 17.7, iOS 18, iPadOS 18, macOS Sequoia 15, macOS Sonoma 14.7, macOS Ventura 13.7, and visionOS 2.
Critical Impact
Network traffic intended to traverse a VPN tunnel may leak outside the tunnel, exposing source IP addresses and unencrypted traffic to network observers.
Affected Products
- Apple macOS (Ventura prior to 13.7, Sonoma prior to 14.7, Sequoia prior to 15)
- Apple iOS and iPadOS prior to 17.7 and prior to 18
- Apple visionOS prior to 2
Discovery Timeline
- 2024-09-17 - CVE-2024-44165 published to the National Vulnerability Database (NVD)
- 2026-04-02 - Last updated in the NVD database
Technical Details for CVE-2024-44165
Vulnerability Analysis
The vulnerability is a logic flaw in how Apple operating systems handle network traffic routing when a Virtual Private Network (VPN) tunnel is active. Under specific conditions, packets that should be encapsulated within the VPN tunnel bypass it and traverse the underlying physical network interface. This leakage defeats the confidentiality and routing guarantees users expect from a VPN connection. The flaw affects multiple Apple platforms, indicating the issue resides in shared networking logic common to iOS, iPadOS, macOS, and visionOS. Apple categorized the fix as a logic issue addressed with improved checks, suggesting the routing decision path failed to consistently apply VPN policy to all eligible traffic flows.
Root Cause
The root cause is improper enforcement of VPN routing policy in the networking stack. Insufficient checks allowed certain packets to be sent over the default interface rather than the VPN interface. The classification falls under [NVD-CWE-noinfo] because Apple did not publish a specific CWE mapping for the issue.
Attack Vector
An attacker positioned to observe traffic on the underlying physical network can capture data that leaks outside the VPN tunnel. Exploitation does not require credentials or user interaction on the affected device. The attacker does not directly compromise the device. Instead, they passively or actively intercept traffic that the device incorrectly routes outside the encrypted tunnel.
No public proof-of-concept code is associated with this advisory. Refer to the Apple Security Support Document #121234 and related advisories for vendor-supplied technical details.
Detection Methods for CVE-2024-44165
Indicators of Compromise
- Network flow records showing traffic from Apple endpoints leaving the corporate egress on the physical interface IP while a VPN session is established on the same device.
- DNS queries observed at non-VPN resolvers when split-tunnel policies should force resolution through the VPN.
- VPN concentrator logs showing fewer tunneled flows than expected for active client sessions.
Detection Strategies
- Correlate endpoint VPN connection state with NetFlow or firewall logs at the corporate perimeter to identify traffic bypassing the tunnel.
- Compare expected tunneled destinations against observed connections on the physical interface to flag policy violations.
- Monitor Apple OS version inventory and alert on devices running pre-patch builds (iOS/iPadOS prior to 17.7 or 18, macOS prior to 14.7, 13.7, or 15, visionOS prior to 2).
Monitoring Recommendations
- Ingest VPN gateway, firewall, and endpoint telemetry into a central data lake to correlate per-device tunnel state with observed network paths.
- Build dashboards tracking Apple OS patch compliance against the fixed versions listed in Apple advisories.
- Alert on egress traffic from managed Apple devices to destinations that should only be reachable via the VPN.
How to Mitigate CVE-2024-44165
Immediate Actions Required
- Upgrade affected Apple devices to iOS 17.7, iPadOS 17.7, iOS 18, iPadOS 18, macOS Sequoia 15, macOS Sonoma 14.7, macOS Ventura 13.7, or visionOS 2.
- Inventory all managed Apple endpoints through MDM and enforce minimum OS versions through compliance policies.
- Review VPN gateway logs for the period prior to patching to identify devices whose traffic may have leaked outside the tunnel.
Patch Information
Apple released fixes in iOS 17.7, iPadOS 17.7, iOS 18, iPadOS 18, macOS Sequoia 15, macOS Sonoma 14.7, macOS Ventura 13.7, and visionOS 2. Refer to the official Apple advisories: Apple Security Support Document #121234, #121238, #121246, #121247, #121249, and #121250.
Workarounds
- Enforce a kill-switch or always-on VPN configuration via MDM so that traffic is blocked when the VPN tunnel is not active.
- Restrict sensitive applications on unpatched Apple devices to trusted networks until updates are applied.
- Use per-app VPN profiles that bind specific applications to the tunnel interface, reducing the surface for routing logic errors.
# Verify installed macOS version against the fixed releases
sw_vers -productVersion
# On iOS/iPadOS/visionOS, confirm version via Settings > General > About,
# or query enrolled devices through MDM for OSVersion >= 17.7 / 18 / 2.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

