CVE-2025-24198 is a vulnerability in Apple iOS and iPadOS that allows an attacker with physical access to a locked device to leverage Siri to access sensitive user data. The root cause is insufficient restrictions on Siri's capabilities when the device is locked, enabling unauthorized data access without requiring device unlock or authentication. This vulnerability falls under CWE-284 (Improper Access Control), indicating that access control mechanisms did not adequately prevent unauthorized operations. The issue affects multiple Apple operating systems, including iOS 18.x, iPadOS 17.x and 18.x, macOS Ventura 13.7.5, macOS Sequoia 15.4, and macOS Sonoma 14.7.5. Apple mitigated the vulnerability by restricting the options Siri can offer on locked devices, thereby reducing the attack surface. The CVSS v3.1 vector (AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that the attack requires physical access (AV:P), has low complexity (AC:L), requires no privileges (PR:N), requires user interaction (UI:R), affects the same security scope (S:U), and impacts confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H). No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risk of physical access attacks on mobile devices, especially where voice assistants are enabled on locked screens.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive data stored on Apple mobile devices. Attackers with physical access—such as insiders, visitors, or during device theft—could exploit Siri to extract confidential information without needing to unlock the device. This could lead to data breaches involving personal information, corporate secrets, or credentials stored or accessible via Siri. The integrity and availability of data could also be compromised if attackers manipulate Siri commands to alter or delete data. Sectors such as finance, healthcare, government, and critical infrastructure, which often use Apple devices and handle sensitive data, are particularly at risk. The requirement for physical access limits remote exploitation but increases the importance of physical security controls. Additionally, the vulnerability could facilitate lateral movement or escalation in targeted attacks if attackers gain initial physical access. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

European organizations should implement a multi-layered mitigation strategy beyond simply applying software patches. First and foremost, ensure all Apple devices are updated to the fixed versions: iOS 18.4, iPadOS 18.4, macOS Ventura 13.7.5, macOS Sequoia 15.4, and macOS Sonoma 14.7.5 or later. Disable Siri access from the lock screen entirely where possible, especially on devices used in sensitive environments. Enforce strict physical security policies to prevent unauthorized physical access to devices, including secure storage and controlled access areas. Educate users about the risks of leaving devices unattended and encourage use of strong authentication methods such as Face ID or Touch ID combined with complex passcodes. Implement Mobile Device Management (MDM) solutions to centrally control device settings, including disabling lock screen voice assistant access and monitoring device compliance. Regularly audit device configurations and access logs to detect suspicious activity. For high-risk environments, consider restricting or disabling voice assistant features altogether. Finally, develop incident response plans that include procedures for lost or stolen devices to quickly revoke access and mitigate data exposure.