CVE-2025-24145 is a privacy-related vulnerability identified in Apple macOS, iOS, and iPadOS platforms, specifically addressed in macOS Sequoia 15.3, iOS 18.3, and iPadOS 18.3. The flaw arises from insufficient redaction of private data in system log entries, allowing an application with limited privileges (local access and low privileges) to view sensitive information such as a contact's phone number within these logs. The vulnerability is categorized under CWE-532, which relates to exposure of sensitive information through logs. The issue does not permit modification or deletion of data, nor does it affect system integrity or availability. Exploitation requires local access and privileges, but no user interaction is necessary, making it a low-complexity attack vector. The CVSS 3.1 base score is 3.3, reflecting a low severity primarily due to limited confidentiality impact and the requirement for local privileges. No public exploits have been reported, and the vulnerability was published on January 27, 2025. The root cause is inadequate private data redaction in system logs, which has been improved in the patched OS versions. This vulnerability primarily threatens user privacy by exposing contact phone numbers to unauthorized local applications.

For European organizations, the primary impact of CVE-2025-24145 is the potential unauthorized disclosure of sensitive contact information through system logs accessible by local applications. This could lead to privacy violations, especially under stringent data protection regulations such as the GDPR. While the vulnerability does not compromise system integrity or availability, exposure of personal contact data can result in reputational damage, regulatory penalties, and loss of trust. Organizations with employees or customers using affected Apple devices may inadvertently expose contact information to unauthorized apps or internal threat actors with local access. The risk is heightened in environments where endpoint security controls are weak or where multiple users share devices. However, the low severity and requirement for local privileges limit the scope of impact, making it less critical for remote attackers or large-scale exploitation. Still, privacy-conscious sectors such as healthcare, finance, and government entities in Europe should consider this vulnerability significant due to the sensitivity of contact data.

To mitigate CVE-2025-24145, European organizations should prioritize updating all affected Apple devices to macOS Sequoia 15.3, iOS 18.3, and iPadOS 18.3 or later, where the private data redaction issue has been fixed. Implement strict application permission policies to limit which apps can access system logs or sensitive data, employing Mobile Device Management (MDM) solutions to enforce these controls. Conduct regular audits of installed applications to identify and remove unauthorized or unnecessary apps with local access privileges. Employ endpoint security solutions that monitor and restrict access to system logs and sensitive files. Educate users about the risks of installing untrusted applications and the importance of applying OS updates promptly. Additionally, organizations should review internal policies regarding device sharing and local user privileges to minimize the risk of unauthorized local access. Logging and monitoring for unusual access patterns to system logs can help detect potential exploitation attempts. Finally, ensure compliance with GDPR and other relevant privacy regulations by documenting mitigation efforts and data protection measures.