CVE-2025-30436 is a critical vulnerability affecting Apple iOS and iPadOS devices, specifically related to the Siri voice assistant functionality. The flaw allows an unauthenticated remote attacker to leverage Siri to enable the Auto-Answer Calls feature on a locked device without user interaction or prior authentication. Auto-Answer Calls is a setting that automatically answers incoming calls after a preset delay, which can be exploited to eavesdrop on the device user or surroundings without their consent. The vulnerability arises because Siri, when invoked on a locked device, improperly restricts the options it offers, allowing the attacker to manipulate device settings that should otherwise be inaccessible without unlocking the device. This issue is categorized under CWE-284 (Improper Access Control), indicating a failure to enforce proper access restrictions on sensitive device functions. The vulnerability has a CVSS 3.1 base score of 9.1, reflecting its critical nature with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and high availability impact (A:H). The vulnerability was addressed by Apple in iOS and iPadOS version 18.4, where the options available to Siri on locked devices were restricted to prevent unauthorized enabling of Auto-Answer Calls. Although no known exploits are reported in the wild yet, the ease of exploitation and the potential for covert surveillance make this a significant threat.

For European organizations, this vulnerability poses a serious risk to confidentiality and availability of communications on Apple mobile devices used within corporate environments. Attackers could remotely activate Auto-Answer Calls to listen in on sensitive conversations or meetings without the knowledge of the device owner, potentially leading to leakage of confidential business information, intellectual property, or personal data. The high availability impact means the device’s normal operation could be disrupted by unauthorized call answering, affecting user productivity. Given the widespread use of iOS and iPadOS devices in Europe, including in sectors such as finance, government, healthcare, and critical infrastructure, the risk of espionage or unauthorized surveillance is elevated. The fact that exploitation requires no privileges or user interaction increases the threat surface, especially in scenarios where devices are left unattended or locked but within voice range of an attacker. This vulnerability could also undermine trust in mobile device security policies and complicate compliance with European data protection regulations such as GDPR if personal data is compromised through unauthorized audio capture.

European organizations should prioritize updating all iOS and iPadOS devices to version 18.4 or later to ensure the vulnerability is patched. Beyond patching, organizations should implement strict mobile device management (MDM) policies that restrict Siri usage on locked devices or disable Siri entirely if not required. Configuring devices to require biometric or passcode authentication before enabling or changing Auto-Answer Calls settings can add an additional layer of protection. Network-level controls such as restricting access to known malicious voice command sources or monitoring unusual call answering behavior may help detect exploitation attempts. User awareness training should emphasize the risks of leaving devices unattended and the importance of promptly installing security updates. For high-security environments, consider disabling Auto-Answer Calls altogether or limiting its use to trusted networks and contacts. Regular audits of device settings and logs can help identify unauthorized changes indicative of exploitation.