CVE-2025-30428 is a vulnerability identified in Apple’s iOS and iPadOS operating systems that allows unauthorized viewing of photos stored in the Hidden Photos Album without requiring authentication. The root cause is improper state management within the photo app or system components responsible for enforcing access controls on hidden content. This flaw enables an attacker with physical access or limited user interaction to bypass authentication mechanisms, exposing potentially sensitive images. The vulnerability affects multiple versions of iOS and iPadOS prior to 18.4 and 17.7.6, respectively. Apple has addressed this issue by improving state management to ensure that the Hidden Photos Album cannot be accessed without proper authentication. The CVSS v3.1 base score is 5.4 (medium severity), reflecting the partial impact on confidentiality (high), limited impact on integrity (low), and availability (low). The attack vector is physical (AV:P), requiring user interaction (UI:R), with no privileges required (PR:N). There are no known exploits in the wild at the time of publication. The vulnerability is categorized under CWE-305 (Authentication Bypass by Primary Weakness). This flaw poses a privacy risk, especially for users who rely on the Hidden Photos Album feature to protect sensitive images from unauthorized viewing.

For European organizations, the primary impact of CVE-2025-30428 is the potential exposure of sensitive or confidential images stored on employee or corporate Apple devices. This could lead to privacy violations, data leakage, and reputational damage, especially for sectors handling sensitive personal data such as healthcare, legal, finance, and government. The confidentiality impact is high because unauthorized users can view hidden photos without authentication. Integrity and availability impacts are low, as the vulnerability does not allow modification or deletion of photos or disruption of device functionality. The requirement for physical access or user interaction limits remote exploitation but increases risk in environments where devices may be lost, stolen, or accessed by unauthorized personnel. European organizations subject to GDPR and other privacy regulations must consider the compliance implications of unauthorized data exposure. The vulnerability also raises concerns for individuals using corporate devices for personal purposes, potentially exposing private images.

European organizations should immediately deploy the security updates provided by Apple in iOS 18.4, iPadOS 18.4, and iPadOS 17.7.6 to remediate this vulnerability. Beyond patching, organizations should enforce strict physical security controls to prevent unauthorized access to devices, including strong device passcodes and biometric authentication. Device management policies should restrict or monitor the use of the Hidden Photos Album feature on corporate devices. User awareness training should emphasize the risks of storing sensitive images in hidden albums and the importance of locking devices when unattended. Implement Mobile Device Management (MDM) solutions to enforce security configurations and remotely wipe lost or stolen devices. Regular audits of device compliance and security posture can help identify unpatched or vulnerable devices. Additionally, organizations should review data protection policies to ensure that sensitive images are not stored on mobile devices unnecessarily.