Positive Technologies specialist discovered a critical bug in Apple Shortcuts

Positive Technologies expert Egor Filatov discovered a critical vulnerability in the Shortcuts app. If successfully exploited, the flaw could allow an attacker to gain full control over the device, including the ability to read, modify, and delete any information.

Shortcuts was first introduced in macOS Monterey in 2021 and has since been included in Ventura, Sonoma, and Sequoia. The app allows users to create quick commands for the computer to perform functions such as starting a timer, playing music, or converting text to audio.

Additionally, users have access to pre-made command macros, which attackers could exploit by uploading malicious templates to the library. For an attacker to take advantage of this security flaw, the victim would only need to carelessly run a malicious macro created by the attacker on their device.

"If successfully exploited, this vulnerability in the Shortcuts app could hypothetically allow an attacker to target any inattentive user. Before the patch, the flaw enabled an attacker to bypass macOS security mechanisms and execute arbitrary code on the victim’s operating system," explained Egor Filatov, Junior Specialist in Mobile Application Security Research at Positive Technologies.

The vulnerability was found in Shortcuts 7.0 (2607.1.3), assigned the identifier BDU:2025-02497, and rated 9.8 out of 10 on the CVSS 3.0 scale. Apple has since fixed the bug and released a corresponding update.

Users are now advised to install macOS Sequoia 15.5 or later. If updating the OS is not possible, experts recommend carefully checking downloaded shortcuts before running them or avoiding their use altogether.