CVE-2024-23255: Photos in the Hidden Photos Album may be viewed without authentication in Apple iOS and iPadOS
CVE-2024-23255 is a critical authentication vulnerability in Apple iOS and iPadOS that allowed photos in the Hidden Photos Album to be viewed without authentication. This issue was addressed by Apple through improved state management and is fixed in iOS 17. 4 and iPadOS 17. 4. The vulnerability has a high CVSS score of 9. 1, indicating a severe impact on confidentiality and integrity without requiring privileges or user interaction. Apple has officially released patches for this vulnerability as part of their iOS 17. 4 and iPadOS 17. 4 updates.
AI Analysis
Technical Summary
CVE-2024-23255 is an authentication bypass vulnerability affecting Apple iOS and iPadOS devices. It allowed unauthorized viewing of photos stored in the Hidden Photos Album without requiring user authentication. Apple resolved this issue by improving state management mechanisms within the affected operating systems. The fix is included in iOS 17.4 and iPadOS 17.4 releases. The vulnerability is rated critical with a CVSS 3.1 base score of 9.1, reflecting its network attack vector, low attack complexity, no privileges required, and no user interaction needed, with high confidentiality and integrity impacts. This vulnerability is part of a broader set of security fixes released by Apple in March 2024.
Potential Impact
An attacker could view photos in the Hidden Photos Album on affected iOS and iPadOS devices without authenticating, compromising user privacy and confidentiality of sensitive images. The vulnerability does not require privileges or user interaction, increasing the risk of unauthorized data exposure. There are no known exploits in the wild at the time of disclosure. The issue could lead to significant privacy violations if exploited.
Mitigation Recommendations
Apple has released official patches addressing this vulnerability in iOS 17.4 and iPadOS 17.4. Users and administrators should apply these updates promptly to remediate the issue. Since this is a client-side vulnerability in device operating systems, updating to the fixed versions is the primary and recommended mitigation. No additional vendor advisories indicate alternative mitigations or temporary workarounds.
CVE-2024-23255: Photos in the Hidden Photos Album may be viewed without authentication in Apple iOS and iPadOS
Description
CVE-2024-23255 is a critical authentication vulnerability in Apple iOS and iPadOS that allowed photos in the Hidden Photos Album to be viewed without authentication. This issue was addressed by Apple through improved state management and is fixed in iOS 17. 4 and iPadOS 17. 4. The vulnerability has a high CVSS score of 9. 1, indicating a severe impact on confidentiality and integrity without requiring privileges or user interaction. Apple has officially released patches for this vulnerability as part of their iOS 17. 4 and iPadOS 17. 4 updates.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-23255 is an authentication bypass vulnerability affecting Apple iOS and iPadOS devices. It allowed unauthorized viewing of photos stored in the Hidden Photos Album without requiring user authentication. Apple resolved this issue by improving state management mechanisms within the affected operating systems. The fix is included in iOS 17.4 and iPadOS 17.4 releases. The vulnerability is rated critical with a CVSS 3.1 base score of 9.1, reflecting its network attack vector, low attack complexity, no privileges required, and no user interaction needed, with high confidentiality and integrity impacts. This vulnerability is part of a broader set of security fixes released by Apple in March 2024.
Potential Impact
An attacker could view photos in the Hidden Photos Album on affected iOS and iPadOS devices without authenticating, compromising user privacy and confidentiality of sensitive images. The vulnerability does not require privileges or user interaction, increasing the risk of unauthorized data exposure. There are no known exploits in the wild at the time of disclosure. The issue could lead to significant privacy violations if exploited.
Mitigation Recommendations
Apple has released official patches addressing this vulnerability in iOS 17.4 and iPadOS 17.4. Users and administrators should apply these updates promptly to remediate the issue. Since this is a client-side vulnerability in device operating systems, updating to the fixed versions is the primary and recommended mitigation. No additional vendor advisories indicate alternative mitigations or temporary workarounds.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apple
- Date Reserved
- 2024-01-12T22:22:21.487Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690a47526d939959c802271b
Added to database: 11/4/2025, 6:34:58 PM
Last enriched: 4/9/2026, 11:04:27 PM
Last updated: 5/9/2026, 8:47:59 AM
Views: 64
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.