CVE-2025-24145 is a privacy vulnerability identified in Apple iOS and iPadOS operating systems, specifically affecting versions prior to iOS 18.3 and iPadOS 18.3, as well as macOS Sequoia 15.3. The issue arises from insufficient redaction of private data in system log entries, allowing an app with limited privileges (local access and low privilege) to view a contact's phone number by reading system logs. This vulnerability is categorized under CWE-532, which relates to exposure of sensitive information through logs. The vulnerability does not require user interaction but does require local privileges, meaning an attacker must have some level of access to the device, such as through a malicious app installed on the device. The CVSS v3.1 base score is 3.3 (low severity), reflecting that the impact is limited to confidentiality with no impact on integrity or availability. The vulnerability was addressed by Apple through improved private data redaction in system logs starting with iOS and iPadOS 18.3 and macOS Sequoia 15.3. No public exploits or active exploitation in the wild have been reported to date. This vulnerability highlights the risk of sensitive data leakage through system logs, which can be overlooked in security assessments. Proper log management and data redaction are critical to prevent unauthorized access to private information.

The primary impact of CVE-2025-24145 is the unauthorized disclosure of contact phone numbers through system logs accessible by apps with limited privileges. While this does not affect the integrity or availability of the system, it compromises user privacy and confidentiality of sensitive contact information. For organizations, this could lead to privacy violations, potential regulatory non-compliance (e.g., GDPR, CCPA), and erosion of user trust. Attackers with local access could harvest contact information for social engineering, phishing, or further targeted attacks. The impact is more significant in environments where devices are shared or where malicious apps could be installed. Since exploitation requires local privileges and no user interaction, remote exploitation is unlikely, limiting the scope of risk. However, the widespread use of Apple devices globally means a large number of users could be affected if devices are not updated. The vulnerability underscores the importance of securing log data to prevent leakage of sensitive information.

1. Update all Apple devices to iOS 18.3, iPadOS 18.3, or macOS Sequoia 15.3 or later to apply the patch that improves private data redaction in system logs. 2. Restrict app permissions and avoid installing untrusted or unnecessary applications to minimize the risk of local privilege exploitation. 3. Implement mobile device management (MDM) policies to enforce timely OS updates and control app installations. 4. Monitor system logs and audit access to logs where feasible to detect unusual access patterns. 5. Educate users about the risks of installing apps from untrusted sources and the importance of keeping devices updated. 6. For organizations, consider additional endpoint protection solutions that can detect and prevent unauthorized local access or privilege escalation. 7. Review and harden logging configurations where possible to limit sensitive data exposure, even beyond the vendor patch. 8. Conduct regular privacy impact assessments to ensure compliance with data protection regulations concerning contact information.