CVE-2025-24133 is a vulnerability affecting Apple iOS and iPadOS devices where keyboard suggestions may inadvertently display sensitive information on the device's lock screen. Keyboard suggestions are typically predictive text or autocomplete options that appear as a user types. In this case, the vulnerability allows these suggestions to reveal potentially confidential data even when the device is locked, bypassing the expected security boundary of the lock screen. This could include fragments of messages, passwords, or other private content previously typed or predicted by the keyboard engine. The issue arises from insufficient restrictions on what suggestions can be shown when the device is locked. Apple addressed this vulnerability by restricting the options offered on locked devices, and the fix is included starting with iOS 26 and iPadOS 26. The affected versions prior to these releases are unspecified, but presumably all versions before iOS/iPadOS 26 are vulnerable. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned. The vulnerability primarily impacts confidentiality, as it leaks sensitive information without user authentication or interaction beyond the device being locked. The attack vector is local, requiring physical access to the locked device to observe the suggestions on the lock screen. The vulnerability does not appear to affect device integrity or availability directly but poses a privacy risk that could facilitate further attacks if sensitive information is exposed.

For European organizations, this vulnerability poses a significant privacy and confidentiality risk, especially for employees or executives using Apple mobile devices to handle sensitive corporate or personal data. Exposure of sensitive information on the lock screen could lead to unauthorized disclosure of confidential communications, credentials, or other private data. This risk is heightened in environments where devices may be lost, stolen, or accessed by unauthorized personnel. The vulnerability could also undermine compliance with European data protection regulations such as GDPR, which mandate strict controls over personal data confidentiality. Organizations in sectors like finance, healthcare, legal, and government, where sensitive data is frequently accessed on mobile devices, are particularly at risk. While the vulnerability does not allow remote exploitation, the physical access requirement means that device loss or theft scenarios are critical threat vectors. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks or insider threats leveraging this vulnerability.

European organizations should prioritize updating all Apple iOS and iPadOS devices to version 26 or later as soon as it becomes available to ensure the vulnerability is patched. Until updates are deployed, organizations should enforce strict physical security controls to prevent unauthorized access to devices, including policies for device handling, storage, and transport. Enabling full device encryption and strong passcodes can reduce the risk of unauthorized unlocking attempts. Additionally, organizations should consider disabling keyboard suggestions on lock screens via device management policies or configuration profiles if supported, to minimize exposure. Employee training on the risks of device loss and the importance of reporting lost or stolen devices promptly is also critical. For highly sensitive environments, consider restricting the use of vulnerable devices for critical communications until patched. Monitoring for unusual access patterns or data leakage incidents related to mobile devices can help detect exploitation attempts. Finally, organizations should review and update their mobile device management (MDM) policies to incorporate these mitigations and ensure compliance with data protection regulations.