CVE-2024-40822 is a vulnerability identified in Apple’s iOS and iPadOS operating systems that allows an attacker with physical access to a device to access the contacts list directly from the lock screen. The root cause is insufficient restriction of options available on a locked device, which enables unauthorized viewing of contact information without requiring authentication or user interaction. This vulnerability affects multiple Apple platforms, including iOS, iPadOS, macOS Sonoma, and watchOS, and was addressed by Apple through updates that restrict lock screen options to prevent such unauthorized access. The vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to enforce proper access restrictions. The CVSS v3.1 base score is 2.4, reflecting low impact primarily on confidentiality, with no impact on integrity or availability. Exploitation requires physical access but no privileges or user interaction, limiting the attack vector to scenarios where an attacker can physically handle the device. Apple released patches in iOS 16.7.9, iPadOS 16.7.9, iOS 17.6, iPadOS 17.6, macOS Sonoma 14.6, and watchOS 10.6 to mitigate this issue. No public exploits or widespread attacks have been reported to date.

The primary impact of CVE-2024-40822 is the unauthorized disclosure of contact information from a locked Apple device, which compromises confidentiality. While the vulnerability does not allow modification of data or disruption of device functionality, exposure of contacts can lead to privacy violations, social engineering, or targeted phishing attacks. Organizations relying heavily on Apple devices for sensitive communications may face increased risks of information leakage if devices are lost, stolen, or accessed by unauthorized personnel. The requirement for physical access limits remote exploitation, but insider threats or theft scenarios remain relevant. The vulnerability’s low severity and limited scope reduce the likelihood of widespread impact, but the exposure of personal or business contacts can still have reputational and operational consequences for affected individuals and organizations.

To mitigate CVE-2024-40822, organizations and users should promptly apply the security updates released by Apple for iOS 16.7.9, iPadOS 16.7.9, iOS 17.6, iPadOS 17.6, macOS Sonoma 14.6, and watchOS 10.6. Beyond patching, administrators should review and tighten lock screen settings to minimize accessible information without authentication, such as disabling features that allow contact previews or access to messaging and calling functions from the lock screen. Employing strong device passcodes and enabling biometric authentication can further reduce unauthorized access risks. Physical security controls should be enhanced to prevent unauthorized individuals from gaining physical access to devices. Additionally, organizations should educate users about the risks of leaving devices unattended and encourage reporting of lost or stolen devices immediately. Monitoring for unusual access patterns or attempts to bypass lock screen protections can also help detect exploitation attempts.