LOW 3.5

CVE-2022-48575: macOS Login Window Bypass via State Handling Flaw

CVE-2022-48575 is a local bypass vulnerability in macOS that allows someone with physical access to a Mac to circumvent the Login Window security prompt. The issue stems from inconsistent state handling in the authentication system—essentially, the login screen may fail to properly enforce its security state in certain conditions, potentially allowing unauthorized access. Apple has patched this in macOS Monterey 12.4 and later.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.5 LOW · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-287
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

A person with access to a Mac may be able to bypass Login Window. A consistency issue was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is rooted in a state management flaw in macOS's Login Window component (CWE-287: Improper Authentication). The attack vector is physical (AV:P), meaning an attacker must have in-person access to the device. The vulnerability exploits a consistency issue where the Login Window's security state is not properly maintained or verified across transitions, creating a narrow window for bypass. The low CVSS score (3.5) reflects the physical access requirement and limited impact scope (confidentiality and integrity only; no availability impact).

Business impact

The practical risk is confined to organizations with heightened physical security threats—such as those in high-security facilities, shared workspaces, or environments where unattended Macs may be left accessible. A threat actor with desk-side access could potentially access user data or modify system settings without authentication. For most enterprises with standard office security, the impact is minimal, but financial services, healthcare, and defense sectors should treat this more seriously. The vulnerability does not enable remote exploitation, significantly limiting its business scope.

Affected systems

Apple macOS systems prior to Monterey 12.4 are vulnerable. This includes Monterey 12.0 through 12.3 and potentially earlier macOS versions, though Apple's description specifically references the Monterey 12.4 fix. Organizations running Monterey, Big Sur, or older versions should prioritize verification and patching. The vulnerability does not affect iOS, iPadOS, or other Apple platforms based on the available information.

Exploitability

Exploitability is low in real-world attack scenarios. An attacker must be physically present at an unlocked or minimally secured Mac, then execute the bypass during a narrow state transition window. There is no indication of a public exploit, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild is either absent or minimal. The fix has been available since mid-2022, allowing ample time for patching.

Remediation

Update macOS Monterey to version 12.4 or later. Users on earlier macOS versions (Big Sur, Catalina) should check Apple's security bulletins for equivalent patches or plan upgrades accordingly. Beyond patching, enforce physical security controls: require attendants to lock their machines when away, disable auto-login, and configure firmware password protection. These compensating controls significantly reduce attack surface even if systems remain unpatched.

Patch guidance

Apply macOS Monterey 12.4 or any subsequent security update released by Apple. Users can verify their version by clicking the Apple menu > About This Mac > System Report and checking the macOS version. Automatic updates should be enabled in System Preferences > General > Software Update to ensure timely delivery of future security patches. Organizations managing multiple Macs should deploy patches via MDM or similar configuration management tools to ensure consistent coverage.

Detection guidance

Detection is challenging because the vulnerability exploits a transient state inconsistency. Focus on preventive measures: log and monitor failed Login Window events via system logs (Console.app or /var/log/system.log), though the bypass may not generate obvious error messages. Implement endpoint detection and response (EDR) solutions to flag unusual authentication patterns or state anomalies. Physical security monitoring (camera, access logs) is more practical than technical detection for this threat vector. Regular configuration audits to verify firmware passwords and login policies are enabled can help catch systems at risk.

Why prioritize this

This vulnerability merits medium-low prioritization. The physical access requirement drastically reduces enterprise risk compared to remote exploits. However, organizations with valuable IP, regulated data, or high-profile personnel should prioritize patching sooner, as targeted physical attacks are plausible in those contexts. The age of the vulnerability (patch available since 2022) and lack of KEV status suggest it has not been actively weaponized, further lowering urgency for most organizations.

Risk score, explained

The CVSS 3.1 score of 3.5 (LOW) reflects the authentication bypass nature of the flaw, but the physical access vector (AV:P) is the dominant limiting factor. If this were remotely exploitable, the score would be significantly higher. The Low Complexity (AC:L) and No Privileges Required (PR:N) components indicate that execution is straightforward once physical access is obtained, but that prerequisite substantially constrains real-world applicability. Confidentiality and Integrity impacts are partial (not complete compromise), which also keeps the severity bounded.

Frequently asked questions

Do I need to patch this immediately if I'm running macOS Monterey 12.3?

No, immediate action is not critical for most organizations. However, you should prioritize it within your next 1–2 maintenance windows. The physical access requirement means it is not an emergency remote threat. If your environment includes unattended public-facing Macs, shared workspaces, or high-security zones, move it up the queue.

Does this vulnerability affect Big Sur or Catalina?

The advisory specifies the fix in Monterey 12.4, but does not explicitly detail whether earlier versions remain vulnerable or have received patches. Check Apple's security bulletins for Big Sur and Catalina specifically. If no patch is listed, those systems may have reached end-of-support; consider planning an upgrade as part of your broader macOS lifecycle management.

Can this be exploited remotely or only with physical access?

Only with physical access. The attack vector is strictly local (AV:P). An attacker must be physically present at or have hands-on access to the machine. There is no remote exploitation path.

What is the difference between this and a standard Login Window bypass attack?

The vulnerability stems from a consistency issue in state handling—essentially, the Login Window's internal state machine is not always synchronized, creating transient moments when the bypass is possible. This is distinct from brute-force password attacks or social engineering; it is a logic flaw that Apple fixed by improving state verification. The specific attack steps are not public, and the flaw is subtle enough that it warrants patching even though it is not actively exploited at scale.

This analysis is provided for informational purposes and represents the state of knowledge as of the analysis date. Vulnerability details, patch availability, and exploit status may change. Always verify patch information against official Apple security advisories before deploying updates. SEC.co does not warrant the completeness or accuracy of this analysis in all environments. Organizations should conduct their own risk assessment based on their specific infrastructure, threat model, and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).