CVE-2025-24090 is a vulnerability identified in Apple’s iOS and iPadOS platforms that allows an application to enumerate the list of installed applications on a user’s device without proper authorization. The root cause is a permissions issue where the operating system failed to sufficiently restrict access to app installation metadata, enabling malicious or unauthorized apps to query and obtain a list of installed apps. This capability can be leveraged by attackers to perform user profiling, identify installed security or enterprise apps, or tailor subsequent attacks based on the victim’s app ecosystem. Apple addressed this issue by implementing additional restrictions in iOS and iPadOS version 18.3, which limit the ability of apps to access this information unless explicitly permitted. The vulnerability affects all versions prior to 18.3, with no specific versions detailed. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned. The vulnerability primarily impacts user privacy and confidentiality, as it does not directly enable code execution or system compromise but can facilitate reconnaissance activities. The lack of authentication or user interaction requirements lowers the barrier for exploitation, but the impact remains limited to information disclosure. This vulnerability is particularly relevant for environments where app privacy is critical, such as corporate or government mobile deployments.

For European organizations, the primary impact of CVE-2025-24090 is the potential compromise of user privacy and confidentiality. Attackers or malicious apps could gather detailed information about installed applications, which may reveal sensitive enterprise apps, security tools, or user behavior patterns. This information can be used for targeted phishing, social engineering, or to identify weaknesses in the organization's mobile security posture. While the vulnerability does not allow direct code execution or device takeover, the information disclosure can facilitate more sophisticated attacks. Organizations with Bring Your Own Device (BYOD) policies or those that rely heavily on iOS/iPadOS devices for sensitive operations are at higher risk. The vulnerability could also undermine compliance with privacy regulations such as GDPR if user data is indirectly exposed. However, the absence of known exploits and the availability of patches reduce the immediate risk if timely updates are applied.

To mitigate CVE-2025-24090, European organizations should: 1) Ensure all iOS and iPadOS devices are updated to version 18.3 or later, where the vulnerability is fixed. 2) Enforce strict mobile device management (MDM) policies to control app installations and permissions, limiting the ability of unauthorized apps to access sensitive information. 3) Audit installed applications regularly to detect any suspicious or unauthorized apps that could exploit this vulnerability. 4) Educate users on the risks of installing untrusted applications and encourage the use of official app stores only. 5) Monitor network and device logs for unusual app behavior or attempts to enumerate installed apps. 6) Consider deploying endpoint protection solutions that can detect and block apps exhibiting reconnaissance behavior. 7) Review and tighten app permission settings, especially those related to app metadata and inter-app communication. These steps go beyond generic patching by emphasizing proactive device management and user awareness.