CVE-2025-66004 PUBLISHED

Local privilege escalation in usbmuxd from arbitrary local user to usbmux

Assigner: suse
Reserved: 19.11.2025 Published: 10.12.2025 Updated: 22.12.2025

A Path Traversal vulnerability in usbmuxd allows local users to escalate to the service user.This issue affects usbmuxd: before 3ded00c9985a5108cfc7591a309f9a23d57a8cba.

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	Low	Availability	Low
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CVSS Score: 5.7

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	libimobiledevice
Product	usbmuxd
Versions	Default: unaffected affected from 0 to 3ded00c9985a5108cfc7591a309f9a23d57a8cba (excl.)

Credits

Wolfgang Frisch of SUSE finder

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66004

Problem Types

CWE-35: Path Traversal: '.../...//' CWE