CVE-2025-24180 is a vulnerability identified in Apple’s WebAuthn implementation on iOS, iPadOS, macOS, and visionOS Safari browsers. WebAuthn is a web standard that enables strong, phishing-resistant authentication using public key cryptography. The vulnerability stems from improper input validation related to the registrable suffix of domain names, which allows a malicious website to claim WebAuthn credentials intended for another website sharing the same registrable suffix. For example, a malicious site under a subdomain or related domain could impersonate or intercept authentication credentials meant for a legitimate site, thereby compromising user authentication data. This flaw is categorized under CWE-601 (URL Redirection to Untrusted Site) and has a CVSS v3.1 score of 8.1, indicating high severity. The attack vector is network-based (remote), requires no privileges, but does require user interaction (e.g., visiting the malicious site). The impact affects confidentiality and integrity, allowing credential theft and potential account takeover, but does not affect availability. Apple addressed this issue by enhancing input validation in Safari 18.4, visionOS 2.4, iOS 18.4, iPadOS 18.4, and macOS Sequoia 15.4. No known exploits have been reported in the wild yet. The vulnerability highlights risks in domain boundary enforcement in WebAuthn implementations, which is critical for maintaining secure authentication flows.

For European organizations, this vulnerability poses a significant threat to the confidentiality and integrity of WebAuthn-based authentication credentials, which are increasingly used for secure login processes in banking, government portals, enterprise VPNs, and cloud services. If exploited, attackers could impersonate legitimate users by stealing their WebAuthn credentials, leading to unauthorized access to sensitive systems and data. This could result in financial fraud, data breaches, and erosion of trust in digital identity systems. The impact is particularly severe for sectors with high reliance on Apple devices and WebAuthn, such as financial institutions, public sector agencies, and technology companies. Additionally, the widespread use of Apple devices in Europe means a large attack surface. Although availability is not impacted, the breach of authentication credentials can have cascading effects on operational security and compliance with data protection regulations like GDPR.

1. Immediate deployment of Apple’s security updates: Upgrade all affected devices to iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, and Safari 18.4 or later to ensure the vulnerability is patched. 2. Restrict WebAuthn credential registration and assertion to fully qualified domain names rather than registrable suffixes to prevent cross-domain credential claims. 3. Implement monitoring and anomaly detection for unusual WebAuthn authentication attempts, especially from domains sharing registrable suffixes. 4. Educate users on the risks of interacting with unknown or suspicious websites, emphasizing cautious behavior to reduce user interaction-based exploitation. 5. For organizations managing WebAuthn relying parties, review domain configurations and consider additional domain isolation controls. 6. Employ network security controls such as DNS filtering and web content filtering to block access to known malicious domains. 7. Conduct regular security audits and penetration testing focused on authentication mechanisms to detect similar weaknesses.