CVE-2023-40418 is a medium-severity vulnerability affecting Apple Watch Ultra devices running watchOS, specifically related to the Depth app. The issue stems from an authentication flaw caused by improper state management, which can result in the Apple Watch Ultra not locking as expected when the Depth app is in use. This means that after using the Depth app, the device may remain unlocked, potentially allowing unauthorized access to the watch’s data and functionalities. The vulnerability does not impact confidentiality directly but compromises integrity by allowing unauthorized interactions with the device. The flaw requires local access (attack vector: local), does not require privileges (PR:N), but does require user interaction (UI:R) to trigger the issue. The vulnerability does not affect availability and does not require elevated privileges, which lowers the complexity of exploitation somewhat. The issue was addressed and fixed in watchOS 10 through improved state management mechanisms that ensure the device locks properly after Depth app usage. There are no known exploits in the wild at this time. The CVSS v3.1 score is 5.5, reflecting a medium severity level due to the limited scope and the need for user interaction. The vulnerability primarily affects Apple Watch Ultra users who utilize the Depth app, which is likely used by divers or individuals engaged in underwater activities, as the app provides depth measurement functionality. This vulnerability is specific to Apple’s watchOS platform and does not affect other Apple devices or operating systems.

For European organizations, the direct impact of this vulnerability is relatively limited because it targets a consumer wearable device rather than enterprise infrastructure. However, organizations that issue Apple Watch Ultra devices to employees, particularly in sectors such as maritime, diving, environmental research, or emergency services, could face risks related to unauthorized access to sensitive data stored on the watch or misuse of device functionalities if the watch remains unlocked. The vulnerability could lead to unauthorized data modification or leakage of personal or corporate information accessible via the watch. Additionally, if the watch is used for authentication or access control purposes within an organization, the failure to lock could undermine security controls. The risk is heightened in environments where physical device security is less controlled or where the Depth app is actively used. Since the vulnerability requires user interaction and local access, remote exploitation is not feasible, limiting the threat to scenarios involving physical proximity or device theft. Overall, the impact on European organizations is moderate and mostly relevant to niche use cases involving Apple Watch Ultra deployment in operational roles.

To mitigate this vulnerability, European organizations and individual users should ensure that all Apple Watch Ultra devices are updated to watchOS 10 or later, where the issue is fixed. IT departments managing Apple devices should enforce update policies that include wearable devices and verify compliance regularly. Users should be educated about the importance of manually locking their devices when not in use, especially after using the Depth app. Organizations should consider disabling or restricting the use of the Depth app on corporate-issued Apple Watch Ultra devices if it is not essential for business operations. Additionally, implementing strong physical security controls to prevent unauthorized access to devices is critical, including secure storage when devices are not worn. For organizations using Apple Watch for authentication or access control, additional layers of security such as multi-factor authentication should be enforced to reduce risk from device compromise. Monitoring for unusual device behavior or unauthorized access attempts can also help detect exploitation attempts. Finally, maintaining an inventory of deployed Apple Watch Ultra devices and their software versions will facilitate timely patch management and risk assessment.