CVE-2025-24089 is a permissions-related vulnerability in Apple’s iOS and iPadOS platforms that allows a malicious application to enumerate the list of installed applications on a user’s device. This enumeration capability stems from insufficient permission restrictions that previously allowed apps to query installed app information without explicit user consent or elevated privileges. Such information disclosure can be leveraged by attackers to profile users, identify installed security or enterprise apps, and tailor subsequent attacks such as phishing or malware deployment. Apple addressed this issue by implementing additional permission restrictions in iOS and iPadOS version 18.3, effectively preventing unauthorized app enumeration. The vulnerability affects all versions prior to 18.3, though the exact affected versions are unspecified. No public exploits have been reported, but the vulnerability’s presence in widely used mobile operating systems makes it a privacy concern. The vulnerability does not require user interaction or authentication, increasing its potential risk. Since the CVSS score is not provided, severity assessment is based on the impact on confidentiality (user privacy), ease of exploitation (no user interaction or authentication needed), and scope (all apps on vulnerable devices).

For European organizations, this vulnerability primarily threatens user privacy and confidentiality by exposing the list of installed applications on employee or customer devices. This can facilitate targeted social engineering, reconnaissance, and profiling attacks, potentially leading to further compromise. Organizations relying on iOS/iPadOS devices for sensitive communications or enterprise applications may see increased risk of information leakage. Although this vulnerability does not directly compromise device integrity or availability, the indirect effects of targeted attacks could disrupt operations or lead to data breaches. The impact is heightened in sectors with strict privacy regulations such as GDPR, where unauthorized disclosure of user information can result in compliance violations and reputational damage.

To mitigate this vulnerability, organizations should ensure all iOS and iPadOS devices are updated to version 18.3 or later, where Apple has implemented the necessary permission restrictions. Mobile device management (MDM) solutions should enforce timely OS updates and restrict app installation to trusted sources only. Review and limit app permissions rigorously, especially for apps requesting access to device information. Conduct security awareness training to inform users about risks associated with installing untrusted apps. Additionally, monitor device logs and network traffic for unusual app behavior that could indicate attempts to enumerate installed apps. For enterprise environments, consider deploying endpoint protection solutions that can detect and block suspicious app activities related to this vulnerability.