CVE-2024-44204 is a logic vulnerability in Apple’s iOS and iPadOS platforms that allows the VoiceOver accessibility feature to read aloud saved passwords without proper validation. VoiceOver is designed to assist visually impaired users by reading screen content aloud. However, due to insufficient validation logic, it can inadvertently disclose sensitive password data stored in the device’s password manager. This vulnerability affects all versions prior to iOS 18.0.1 and iPadOS 18.0.1, where Apple has implemented improved validation checks to prevent this behavior. The CVSS 3.1 score of 5.5 reflects a medium severity, with an attack vector of local access (AV:L), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. Exploitation requires an attacker to have local access to the device with some privileges, such as a logged-in user or someone with temporary physical access. No known exploits have been reported in the wild. The vulnerability poses a risk of credential exposure, which could lead to further compromise if attackers leverage the disclosed passwords for lateral movement or account takeover. The fix involves improved validation logic in the accessibility feature to prevent reading out saved passwords. Organizations should ensure devices are updated to iOS/iPadOS 18.0.1 or later to mitigate this risk.

For European organizations, this vulnerability could lead to unauthorized disclosure of saved passwords on Apple mobile devices, potentially compromising user accounts and sensitive systems. The confidentiality breach could facilitate credential theft, enabling attackers to escalate privileges or access corporate resources, especially if users reuse passwords across personal and work accounts. Sectors such as finance, healthcare, government, and critical infrastructure that rely on iOS/iPadOS devices for secure communications and operations are particularly vulnerable. The requirement for local access limits remote exploitation, but insider threats or physical device theft scenarios increase risk. The vulnerability does not affect system integrity or availability, but the loss of confidentiality alone can have serious repercussions including regulatory penalties under GDPR if personal or sensitive data is exposed. Prompt patching reduces the window of exposure and helps maintain trust in device security.

1. Immediately update all iOS and iPadOS devices to version 18.0.1 or later, where the vulnerability is fixed. 2. Enforce strict physical security controls to prevent unauthorized local access to devices, including screen locks and biometric protections. 3. Educate users about the risks of leaving devices unattended and the importance of applying OS updates promptly. 4. Limit the use of VoiceOver or other accessibility features on devices used in high-risk environments unless necessary. 5. Implement mobile device management (MDM) solutions to enforce update policies and monitor device compliance. 6. Encourage use of strong, unique passwords and multi-factor authentication to reduce the impact of any credential disclosure. 7. Regularly audit and review saved passwords and credentials stored on devices to minimize sensitive data exposure. 8. Consider disabling password autofill or storage on devices where security risks outweigh usability benefits.