CVE-2024-27819 is a vulnerability identified in Apple’s iOS and iPadOS operating systems that permits an attacker with physical access to a locked device to access the contacts list without unlocking the device. The root cause lies in the insufficient restriction of options and functionalities available on the lock screen, which inadvertently allows exposure of contact information. This vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to properly restrict access to sensitive data. The issue was resolved in iOS and iPadOS version 17.5 by restricting the options presented on the lock screen, thereby preventing unauthorized access to contacts. The CVSS v3.1 base score is 2.4, reflecting a low severity due to the requirement of physical access and the limited scope of data exposure (contacts only). Exploitation does not require any user interaction or prior authentication, but the attacker must have direct physical possession of the device. There are no reports of active exploitation in the wild. This vulnerability primarily impacts the confidentiality of contact information but does not affect the integrity or availability of the device or its data.

The primary impact of CVE-2024-27819 is the unauthorized disclosure of contact information from a locked iOS or iPadOS device. For organizations, this could lead to privacy violations, potential social engineering, or spear-phishing attacks if sensitive contact details are exposed. While the vulnerability does not allow modification or deletion of data, the leakage of contacts can compromise personal and professional relationships and may expose individuals to targeted attacks. The requirement for physical access limits the scope of exploitation to scenarios such as theft, loss, or unauthorized physical access in environments like offices or public spaces. The impact is thus more significant for high-profile individuals, executives, or organizations handling sensitive contacts. Since the vulnerability does not affect device integrity or availability, it is less likely to cause operational disruption but remains a privacy concern.

To mitigate this vulnerability, affected users and organizations should promptly update all iOS and iPadOS devices to version 17.5 or later, where the issue is fixed. Beyond patching, organizations should enforce strict physical security controls to prevent unauthorized access to devices, including policies for device handling, storage, and supervision in sensitive environments. Enabling strong device passcodes and biometric authentication can reduce the risk of physical exploitation. Additionally, disabling lock screen features that expose sensitive information, such as contact previews or shortcuts, can further limit data exposure. Organizations should also educate users about the risks of leaving devices unattended and encourage the use of remote wipe capabilities in case of device loss or theft. Regular audits of device security settings and user awareness training are recommended to maintain a robust security posture.