CVE-2025-30468 is a medium-severity vulnerability affecting Apple iOS and iPadOS platforms, specifically related to the handling of Private Browsing tabs. The vulnerability allows unauthorized access to Private Browsing tabs without requiring any authentication or user interaction. This issue stems from improper state management within the browser environment, which fails to adequately isolate Private Browsing sessions from normal browsing contexts or from unauthorized access vectors. As a result, an attacker with local access to the device or potentially through other means could view Private Browsing tabs that are expected to remain confidential. The vulnerability does not impact system integrity or availability but compromises confidentiality by exposing sensitive browsing data. The issue was addressed and fixed in iOS 26 and iPadOS 26 through improved state management mechanisms that ensure Private Browsing tabs cannot be accessed without proper authentication. The CVSS 3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, no privileges required, and no user interaction needed, impacting confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-1390, which relates to improper state management or access control issues.

For European organizations, this vulnerability poses a privacy risk, particularly for employees or executives who use iOS or iPadOS devices for sensitive browsing activities under Private Browsing mode. Exposure of Private Browsing tabs could lead to leakage of confidential information, including browsing history, accessed web applications, or sensitive research. This could facilitate targeted social engineering, corporate espionage, or unauthorized data disclosure. While the vulnerability does not directly allow system compromise or data manipulation, the confidentiality breach can undermine trust in device security and privacy. Organizations in sectors with high privacy requirements, such as finance, healthcare, legal, and government, are especially at risk. Additionally, the vulnerability could impact compliance with European data protection regulations like GDPR, as unauthorized access to private browsing data may be considered a personal data breach. The lack of required authentication and user interaction increases the risk of exploitation in scenarios where devices are lost, stolen, or temporarily accessed by unauthorized individuals.

European organizations should ensure all iOS and iPadOS devices are updated to version 26 or later, where the vulnerability is patched. Until updates are deployed, organizations should enforce strict physical security controls to prevent unauthorized access to devices, including strong device passcodes and biometric locks. Mobile device management (MDM) solutions can be used to enforce update policies and monitor device compliance. Additionally, organizations should educate users about the risks of leaving devices unattended and the limitations of Private Browsing mode in protecting sensitive information. For highly sensitive environments, consider restricting the use of Private Browsing or implementing additional application-level protections such as secure browsers with enhanced privacy controls. Regular audits of device security posture and incident response plans should include scenarios involving unauthorized access to browsing data. Finally, organizations should monitor for any emerging exploit reports related to this vulnerability to respond promptly.