CVE-2025-64724

Name: CVE-2025-64724
Creator: NVD / NIST
Published: 2025-12-18T16:15:55.623+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.8/10EPSS 0.10%

Last modified Jun 17, 2026

CVE-2025-64724 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. EPSS estimates a 0.10% chance of exploitation in the next 30 days.

Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.

Metrics

CVSS 3.1

7.3/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0

4.8/10

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.10%

1.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-276

Affected Software

Vendor	Product	Versions
Arduino	Arduino Ide	< 2.3.7

References

https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818536c0835bd684ec98Patch
https://github.com/arduino/arduino-ide/releases/tag/2.3.7Product, Release Notes
https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6Patch, Vendor Advisory
https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-VulnerabilitiesVendor Advisory

Timeline

Published: Dec 18, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-64724?

How severe is CVE-2025-64724?

CVE-2025-64724 has a CVSS score of 4.8/10 (MEDIUM severity). The EPSS model estimates a 0.10% probability of exploitation in the next 30 days.

How do I fix CVE-2025-64724?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-64724?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST