Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-44189

CVE-2024-44189: Apple macOS Information Disclosure Flaw

CVE-2024-44189 is an information disclosure vulnerability in Apple macOS that allows processes to capture screen contents without user consent. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-44189 Overview

CVE-2024-44189 is a logic flaw in Apple macOS that allows a process to capture screen contents without user consent. Apple addressed the issue in macOS Sequoia 15 through improved checks on the affected code path. The vulnerability bypasses the Transparency, Consent, and Control (TCC) protections that normally require explicit user approval before an application can record the screen.

Critical Impact

A local or network-reachable process can silently harvest on-screen content, exposing credentials, messages, and other sensitive information rendered on a victim's display.

Affected Products

  • Apple macOS versions prior to macOS Sequoia 15
  • Applications relying on TCC screen recording consent prompts
  • Endpoints where confidential data is displayed on-screen

Discovery Timeline

  • 2024-09-17 - CVE-2024-44189 published to the National Vulnerability Database (NVD)
  • 2024-09-17 - Apple releases macOS Sequoia 15 containing the fix, documented in the Apple Support Document
  • 2024-09-17 - Details published via Full Disclosure Security Notice
  • 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2024-44189

Vulnerability Analysis

The flaw is a logic issue in a macOS component that governs access to screen contents. macOS enforces screen recording permission through the TCC subsystem, which prompts the user before an application can read framebuffer or window server data. The vulnerable code path failed to validate consent correctly, permitting a process to obtain screen contents outside the intended authorization flow.

Because the issue is a logic error rather than a memory corruption bug, exploitation does not require complex primitives. A process that reaches the affected API can read what the user sees without triggering the standard TCC prompt or system indicator. Confidentiality impact is the primary risk; integrity and availability are unaffected according to the published CVSS vector.

Apple resolved the flaw with improved checks in macOS Sequoia 15. The vendor advisory does not disclose the specific component or API surface involved, and no public proof-of-concept has been released.

Root Cause

The root cause is missing or incorrect authorization logic on a screen-capture code path. The check that should have gated access to display contents on TCC consent was either absent or evaluated incorrectly under specific conditions. This categorizes the issue as a Broken Access Control weakness. NVD lists the CWE as NVD-CWE-noinfo because Apple did not publish detailed root-cause information.

Attack Vector

The CVSS vector lists the attack vector as Network with no privileges and no user interaction required, indicating the flaw is reachable through a remote or IPC-accessible surface rather than requiring local code execution. An attacker who can influence the vulnerable process or component may capture screen contents belonging to another user session or application context. The vulnerability compromises only confidentiality.

No verified exploit code is publicly available. The vulnerability is described in prose in Apple's advisory and the Full Disclosure post; see the Apple Support Document for the vendor's technical summary.

Detection Methods for CVE-2024-44189

Indicators of Compromise

  • Unexpected processes accessing CoreGraphics, ScreenCaptureKit, or WindowServer APIs without a corresponding TCC prompt
  • macOS endpoints running builds earlier than macOS Sequoia 15 (sw_vers -productVersion)
  • Absence of the purple screen-recording indicator during periods where capture-related APIs are invoked
  • Anomalous outbound transfers of image or video-shaped data from user endpoints

Detection Strategies

  • Inventory macOS hosts and flag any device reporting a version below 15.0 as exposed
  • Correlate process telemetry against TCC database entries (TCC.db) to identify processes using screen APIs without granted consent
  • Hunt for unsigned or newly introduced binaries that link against ScreenCaptureKit or CGDisplayStream symbols

Monitoring Recommendations

  • Enable endpoint telemetry that records process execution, code signing status, and framework loads on macOS fleets
  • Alert when non-approved applications invoke screen-capture entitlements or when TCC prompts are suppressed
  • Monitor Endpoint Security framework events for ES_EVENT_TYPE_NOTIFY_SCREENSHARING_ATTACH and related capture activity

How to Mitigate CVE-2024-44189

Immediate Actions Required

  • Upgrade all supported Mac systems to macOS Sequoia 15 or later
  • Audit installed applications with screen recording permissions in System Settings and revoke access for any that do not require it
  • Restrict installation of unsigned or unnotarized applications through Gatekeeper policy
  • Prioritize patching for endpoints handling regulated data, executive workflows, or privileged administration sessions

Patch Information

Apple fixed the vulnerability in macOS Sequoia 15 with improved checks on the affected code path. Deployment guidance is available in the Apple Support Document. No backport is documented for earlier macOS releases in the vendor advisory, so upgrading to Sequoia 15 is the supported remediation.

Workarounds

  • Limit which applications can execute on managed Macs using MDM allowlists until the patch is applied
  • Review and minimize entries in the Screen & System Audio Recording pane of Privacy & Security settings
  • Segment sensitive workloads onto patched hosts and restrict network access from unpatched systems
bash
# Verify the installed macOS version meets or exceeds the fixed release
sw_vers -productVersion

# Trigger the software update check and install available updates
sudo softwareupdate --list
sudo softwareupdate --install --all --restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.