{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-43515", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-04-16T15:27:21.196Z", "datePublished": "2025-11-13T19:03:39.301Z", "dateUpdated": "2026-04-02T18:23:48.331Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code"}]}], "affected": [{"vendor": "Apple", "product": "Compressor", "versions": [{"version": "0", "status": "affected", "lessThan": "4.11.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code."}], "references": [{"url": "https://support.apple.com/en-us/125693"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:23:48.331Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-43515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-14T04:55:41.634102Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:57:01.542Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Nov/17"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-14T03:23:36.019Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Nov/17"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-14T03:23:36.019Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-43515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-14T04:55:41.634102Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T19:29:52.275Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "Compressor", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "4.11", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/125693"}], "descriptions": [{"lang": "en", "value": "The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-11-13T19:03:39.301Z"}}}, "cveMetadata": {"cveId": "CVE-2025-43515", "state": "PUBLISHED", "dateUpdated": "2026-02-26T16:57:01.542Z", "dateReserved": "2025-04-16T15:27:21.196Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-11-13T19:03:39.301Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:compressor:*:*:*:*:*:*:*:*", "matchCriteriaId": "E461A3F3-EEAD-45A4-B3CC-953C668278D8", "versionEndExcluding": "4.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code."}], "id": "CVE-2025-43515", "lastModified": "2025-11-17T19:21:44.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-13T19:15:47.907", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/125693"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2025/Nov/17"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:11:43.057394+00:00", "value": {"mitigation_remediation": ["Upgrade Apple Compressor to version 4.11.1 or later", "Configure firewalls or network segmentation to block inbound traffic to the Compressor service port", "Disable or restrict external connections in Compressor configuration to reduce exposure if an upgrade is not immediately possible"], "summary": {"action": "Do Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Apple Compressor, versions prior to 4.11.1, running on any supported platform where external networking is enabled. All machines that expose the Compressor service to local network traffic are affected.", "description_and_impact": "The vulnerability exists in Apple Compressor because the service accepts external connections without authentication. When enabled, an unauthenticated user on the same network can send crafted requests that cause the Compressor process to execute arbitrary code, potentially allowing full control of the impacted machine. The weakness corresponds to improper access control (CWE\u2011284).", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity flaw, yet the EPSS score is less than 1%, suggesting low current exploitation activity. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is a local network attacker without authentication, with the necessary precondition of the Compressor service accepting external connections. Exploitation therefore requires the attacker to be on the same subnet and to reach the service endpoint."}}}}, "created": "2025-11-14T09:27:41.837404+00:00", "title": "Apple Compressor Remote Code Execution via External Connections", "updated": "2026-04-22T21:15:27.683480+00:00", "vendors": ["apple", "apple$PRODUCT$compressor"]}