CVE-2025-24117 is a vulnerability identified in Apple visionOS and other Apple operating systems such as iPadOS, iOS, macOS Sequoia, and watchOS. The root cause is insufficient redaction of sensitive information within the OS, which allows applications to fingerprint users. Fingerprinting here refers to the ability of an app to collect unique device or user-specific data points that can be used to track or identify users across sessions or applications without explicit user consent. This vulnerability falls under CWE-922 (Improper Restriction of Rendered UI Layers or Frames), indicating that the OS failed to properly restrict or redact sensitive UI elements or data that could be accessed by apps. The attack vector is local (AV:L), meaning the attacker must have the ability to run code on the device, but no privileges are required (PR:N). User interaction is necessary (UI:R), so the user must engage with the malicious app or content. The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. Apple has addressed this issue by improving the redaction of sensitive information in the affected OS versions, specifically visionOS 2.3, iPadOS 17.7.4, iOS 18.3, macOS Sequoia 15.3, and watchOS 11.3. There are no known exploits in the wild at this time. The CVSS score of 5.5 reflects a medium severity level, balancing the high confidentiality impact against the local attack vector and user interaction requirement.

For European organizations, this vulnerability primarily threatens user privacy and confidentiality. Organizations deploying Apple visionOS devices or other affected Apple platforms may face risks of user tracking and profiling by malicious applications, potentially leading to privacy violations and regulatory non-compliance under GDPR. While the vulnerability does not allow code execution or system compromise, the ability to fingerprint users can facilitate targeted phishing, social engineering, or surveillance activities. Sectors such as finance, healthcare, and government, which often handle sensitive personal data and may adopt Apple’s emerging visionOS technology for AR/VR applications, are particularly at risk. Additionally, organizations relying on Apple devices for secure communications or identity management could see reduced trust in their device security posture. The lack of known exploits reduces immediate risk but does not eliminate the potential for future abuse once the vulnerability is publicly known.

European organizations should immediately ensure that all Apple devices, especially those running visionOS and related operating systems, are updated to the patched versions: visionOS 2.3, iPadOS 17.7.4, iOS 18.3, macOS Sequoia 15.3, and watchOS 11.3 or later. Device management policies should enforce mandatory OS updates and restrict installation of untrusted or unvetted applications to reduce exposure. Organizations should audit installed apps for suspicious behavior or excessive permissions that could facilitate fingerprinting. User awareness training should emphasize the risks of interacting with unknown or untrusted apps, particularly in AR/VR environments where new interaction paradigms may increase risk. Network monitoring for anomalous app behavior or data exfiltration attempts can provide early detection of exploitation attempts. Finally, privacy-preserving configurations and app vetting processes should be enhanced to minimize unnecessary data exposure within the OS and applications.