CVE-2025-7961 - Vulnerability Details - OpenCVE

Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Apple	Macos
Wulkano	Kap

No data.

No data.

References

Link	Providers
http://wulkano.com/
https://fluidattacks.com/advisories/cafrune
https://getkap.co/
https://github.com/wulkano/Kap

History

Sat, 16 Aug 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Wulkano Wulkano kap
Vendors & Products		Apple Apple macos Wulkano Wulkano kap

Fri, 15 Aug 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 15 Aug 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0.
Title		KAP 3.6.0 - TCC Bypass
Weaknesses		CWE-94
References		http://wulkano.com/ https://fluidattacks.com/advisories/cafrune https://getkap.co/ https://github.com/wulkano/Kap
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2025-08-15T16:43:00.279Z

Updated: 2025-08-15T17:14:10.611Z

Reserved: 2025-07-21T16:19:29.856Z

Link: CVE-2025-7961

Vulnrichment

Updated: 2025-08-15T17:14:06.381Z

NVD

Status : Received

Published: 2025-08-15T17:15:32.937

Modified: 2025-08-15T17:15:32.937

Link: CVE-2025-7961

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-7961", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-07-21T16:19:29.856Z", "datePublished": "2025-08-15T16:43:00.279Z", "dateUpdated": "2025-08-15T17:14:10.611Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["MacOS"], "product": "KAP", "vendor": "Wulkano", "versions": [{"status": "affected", "version": "3.6.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wulkano:kap:3.6.0:*:macos:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.<p>This issue affects KAP: 3.6.0.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-08-15T16:43:00.279Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/cafrune"}, {"tags": ["product"], "url": "https://github.com/wulkano/Kap"}, {"tags": ["related"], "url": "http://wulkano.com/"}, {"tags": ["product"], "url": "https://getkap.co/"}], "source": {"discovery": "UNKNOWN"}, "title": "KAP 3.6.0 - TCC Bypass", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T17:14:02.203396Z", "id": "CVE-2025-7961", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T17:14:10.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7961", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-15T17:14:02.203396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T17:14:06.381Z"}}], "cna": {"title": "KAP 3.6.0 - TCC Bypass", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Wulkano", "product": "KAP", "versions": [{"status": "affected", "version": "3.6.0", "versionType": "custom"}], "platforms": ["MacOS"], "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/cafrune", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wulkano/Kap", "tags": ["product"]}, {"url": "http://wulkano.com/", "tags": ["related"]}, {"url": "https://getkap.co/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.<p>This issue affects KAP: 3.6.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wulkano:kap:3.6.0:*:macos:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-08-15T16:43:00.279Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7961", "state": "PUBLISHED", "dateUpdated": "2025-08-15T17:14:10.611Z", "dateReserved": "2025-07-21T16:19:29.856Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2025-08-15T16:43:00.279Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0."}], "id": "CVE-2025-7961", "lastModified": "2025-08-15T17:15:32.937", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-15T17:15:32.937", "references": [{"source": "[email protected]", "url": "http://wulkano.com/"}, {"source": "[email protected]", "url": "https://fluidattacks.com/advisories/cafrune"}, {"source": "[email protected]", "url": "https://getkap.co/"}, {"source": "[email protected]", "url": "https://github.com/wulkano/Kap"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "[email protected]", "type": "Primary"}]}