CVE-2025-24090 is a permissions-related vulnerability identified in Apple iOS and iPadOS that allows an application with limited privileges to enumerate the list of installed applications on a device. This issue stems from insufficient enforcement of permission restrictions, enabling apps to access information about other installed apps without explicit user consent or interaction. The vulnerability is categorized under CWE-200 (Information Exposure) and CWE-284 (Improper Access Control). The ability to enumerate installed apps can compromise user privacy by revealing sensitive or security-related apps, which could be leveraged by attackers for profiling or reconnaissance purposes. The vulnerability does not allow modification, deletion, or interference with other apps, nor does it impact system integrity or availability. Exploitation requires local access with limited privileges but no user interaction. Apple addressed this issue by implementing additional restrictions in iOS and iPadOS version 18.3, preventing unauthorized app enumeration. No known exploits have been reported in the wild, and the CVSS v3.1 base score is 3.3, reflecting low severity due to limited confidentiality impact and low exploit complexity.

The primary impact of CVE-2025-24090 is the potential exposure of user privacy through unauthorized enumeration of installed applications. This information can be used by malicious actors to profile users, identify security or privacy-sensitive apps, and tailor subsequent attacks such as phishing or malware delivery. While the vulnerability does not compromise system integrity or availability, the confidentiality breach can be significant in environments where app usage reveals sensitive information, such as corporate or government contexts. Organizations relying on Apple mobile devices may face increased risk of targeted attacks if adversaries leverage this vulnerability for reconnaissance. However, the overall impact is limited by the requirement for local app installation with limited privileges and the absence of user interaction requirements. The lack of known exploits in the wild further reduces immediate risk, but the vulnerability still represents a privacy concern that should be addressed promptly.

To mitigate CVE-2025-24090, organizations and users should promptly update all affected Apple devices to iOS and iPadOS version 18.3 or later, where the vulnerability is fixed. Beyond patching, organizations should enforce strict app vetting policies, limiting installation to trusted applications only, to reduce the risk of malicious apps exploiting this issue. Employ Mobile Device Management (MDM) solutions to control app permissions and monitor installed applications for unauthorized software. Additionally, educate users about the risks of installing untrusted apps and encourage the use of Apple’s official App Store exclusively. For high-security environments, consider implementing app whitelisting and restricting app installation capabilities. Regularly audit device configurations and installed apps to detect anomalies that may indicate exploitation attempts. Finally, maintain awareness of updates from Apple regarding this vulnerability and related security advisories.