CVE-2024-40795 is a vulnerability identified in Apple’s iOS and iPadOS platforms, as well as related operating systems including watchOS, macOS Sonoma, and tvOS. The flaw allows an application with limited privileges (local access and some permissions) to read sensitive location information without requiring user interaction. This indicates a weakness in the data protection mechanisms governing location data access, potentially allowing apps to bypass intended privacy controls. The vulnerability was addressed by Apple in version 17.6 of iOS and iPadOS, 10.6 of watchOS, 14.6 of macOS Sonoma, and 17.6 of tvOS through improved data protection implementations. The CVSS v3.1 score is 3.3, reflecting a low severity primarily due to the requirement for local access (attack vector: local), low privileges (PR:L), no user interaction (UI:N), and limited impact confined to confidentiality (C:L) without affecting integrity or availability. No known exploits have been reported in the wild, suggesting limited active threat at present. However, the ability for an app to access sensitive location data without explicit user consent poses privacy concerns, especially for users and organizations handling sensitive or regulated data. The vulnerability underscores the importance of strict access controls and data protection for location services on Apple devices.

For European organizations, the primary impact of CVE-2024-40795 is the potential unauthorized disclosure of sensitive location information through malicious or compromised applications installed on Apple devices. This could lead to privacy violations, targeted surveillance, or leakage of user movement patterns, which is particularly sensitive under the GDPR and other European privacy regulations. While the vulnerability does not affect system integrity or availability, the confidentiality breach could undermine trust and compliance efforts, especially for sectors like finance, healthcare, and government that rely on Apple devices. The requirement for local app installation and privileges limits remote exploitation risk but does not eliminate insider threats or risks from social engineering leading to app installation. Organizations with mobile device management (MDM) policies and strict app vetting can reduce exposure. Failure to patch promptly may increase risk as attackers could develop exploits over time.

1. Deploy the latest Apple OS updates immediately: iOS 17.6, iPadOS 17.6, watchOS 10.6, macOS Sonoma 14.6, and tvOS 17.6 contain the fix for this vulnerability. 2. Enforce strict app installation policies via MDM solutions to restrict installation to trusted and vetted applications only. 3. Regularly audit app permissions on managed devices, focusing on location access, and revoke unnecessary privileges. 4. Educate users about the risks of installing untrusted apps and the importance of OS updates. 5. Implement network-level monitoring for unusual app behavior that may indicate unauthorized data access. 6. Use privacy-focused configurations and limit background app refresh for apps that do not require location data. 7. For highly sensitive environments, consider disabling location services where feasible or using geofencing controls to limit data exposure. 8. Maintain incident response readiness to investigate any suspicious access to location data.