CVE-2023-42923 is a security vulnerability identified in Apple’s iOS and iPadOS operating systems affecting the Private Browsing feature in Safari. Private Browsing is designed to prevent the storage of browsing history, cookies, and other data, ensuring user privacy. However, due to improper state management within the OS, private browsing tabs can be accessed without requiring user authentication. This means that if an attacker gains physical access to a device or can bypass the lock screen, they could view private browsing sessions that should otherwise remain confidential. The vulnerability does not require user interaction or prior authentication, making it easier to exploit in scenarios such as device theft or unauthorized physical access. Apple addressed this issue in iOS and iPadOS version 17.2 by improving state management to enforce proper access controls on Private Browsing tabs. The affected versions are unspecified but include all versions prior to 17.2. There are no known exploits reported in the wild at the time of publication, but the vulnerability poses a significant privacy risk. This flaw primarily impacts confidentiality, as unauthorized users can access sensitive browsing data that users expect to remain private. The vulnerability does not appear to affect system integrity or availability. Since the flaw is related to local device access, remote exploitation is unlikely without physical access or bypassing device locks. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors.

For European organizations, this vulnerability presents a significant risk to the confidentiality of sensitive information accessed via mobile devices running vulnerable iOS or iPadOS versions. Employees using Private Browsing for confidential research, accessing sensitive corporate web applications, or handling personal data could have their browsing activity exposed if their devices are lost, stolen, or accessed by unauthorized personnel. This could lead to data leakage, privacy violations under GDPR, and potential reputational damage. The impact is particularly critical for sectors handling sensitive data such as finance, healthcare, legal, and government agencies. Since the vulnerability does not require authentication or user interaction, the risk is elevated in environments where device physical security is not strictly enforced. Additionally, the widespread use of Apple devices in European corporate and government environments increases the potential attack surface. While no active exploits are known, the vulnerability could be leveraged in targeted attacks or opportunistic data theft scenarios.

European organizations should prioritize updating all iOS and iPadOS devices to version 17.2 or later to remediate this vulnerability. Device management policies should enforce automatic updates or prompt users to install critical security patches promptly. Implementing strong device-level authentication mechanisms such as complex passcodes, biometric locks (Face ID/Touch ID), and automatic device lock timeouts will reduce the risk of unauthorized physical access. Organizations should also consider deploying Mobile Device Management (MDM) solutions to enforce encryption, restrict device sharing, and remotely wipe lost or stolen devices. Educating employees about the risks of leaving devices unattended and the importance of reporting lost devices immediately is critical. For highly sensitive environments, disabling Private Browsing or restricting its use via configuration profiles may be warranted until devices are fully patched. Regular audits of device compliance and security posture will help identify unpatched or vulnerable devices. Finally, organizations should monitor for any emerging exploit activity related to this vulnerability and adjust defenses accordingly.