CVE-2024-40851 is a vulnerability identified in Apple’s iOS and iPadOS operating systems that allows an attacker with physical access to a locked device to view contact photos directly from the lock screen. The issue arises because the lock screen offers options that inadvertently expose contact images without requiring device unlock or user interaction. This exposure compromises the confidentiality of contact information, potentially revealing personal or business-related contacts to unauthorized individuals. The vulnerability does not impact the integrity or availability of the device or its data. Apple addressed this issue in iOS 18.1 and iPadOS 18.1 by restricting the options available on the lock screen, thereby preventing unauthorized access to contact photos. The CVSS v3.1 base score is 2.4, reflecting a low severity due to the requirement for physical access, no authentication bypass, and limited impact scope. There are no known exploits in the wild, and the affected versions are unspecified but presumably all versions prior to 18.1. This vulnerability primarily represents a privacy concern rather than a critical security threat but could be leveraged in targeted physical attacks or social engineering scenarios.

For European organizations, the primary impact of CVE-2024-40851 is the potential leakage of contact photos from locked Apple devices, which could reveal sensitive personal or professional relationships. This may facilitate social engineering attacks or unauthorized profiling of employees or executives. Although the vulnerability does not allow access to messages, emails, or other sensitive data, the exposure of contact images can still undermine privacy policies and compliance with data protection regulations such as GDPR. The requirement for physical access limits the risk to scenarios involving device theft, loss, or insider threats. Organizations with mobile workforces using iPhones or iPads should be aware of this risk, especially in sectors where confidentiality of contacts is critical, such as government, finance, or legal services. The low severity and absence of remote exploitation reduce the likelihood of widespread impact but do not eliminate the need for mitigation.

To mitigate CVE-2024-40851, European organizations should prioritize updating all iOS and iPadOS devices to version 18.1 or later, where the vulnerability is fixed. Beyond patching, organizations should enforce strict physical security policies for mobile devices, including the use of secure storage, device tracking, and immediate reporting of lost or stolen devices. Implementing mobile device management (MDM) solutions can help enforce update compliance and restrict lock screen functionalities where possible. Educating employees about the risks of physical device access and encouraging the use of strong passcodes and biometric locks will further reduce exposure. Additionally, disabling or limiting lock screen features that display contact information can provide an extra layer of protection. Regular audits of device security posture and incident response plans for lost or stolen devices should be maintained to address potential exploitation scenarios.