CVE-2025-31225 is a privacy vulnerability affecting Apple iOS and iPadOS devices, specifically related to the handling of call history data from deleted applications. The issue arises because call history entries associated with apps that have been uninstalled or deleted may still appear in the device's Spotlight search results. Spotlight is a system-wide search feature that indexes various types of data on iOS and iPadOS devices to provide quick access to apps, contacts, messages, and other content. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that sensitive data is inadvertently exposed to users or processes that should not have access. The CVSS v3.1 base score is 7.1 (high severity), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. This means the vulnerability can be exploited remotely over the network with low attack complexity, requires low privileges (a user-level account), and no user interaction is needed. The impact on confidentiality is high because sensitive call history data can be exposed, while integrity is only slightly affected, and availability is not impacted. The vulnerability was addressed in iOS 18.5 and iPadOS 18.5 by removing the residual sensitive data from Spotlight search results. No known exploits are currently reported in the wild. The affected versions are unspecified but presumably include all versions prior to 18.5. This vulnerability primarily concerns privacy rather than direct system compromise but can lead to unauthorized disclosure of call history information, which may include sensitive contact details and call metadata. This could be leveraged for social engineering, surveillance, or privacy violations.

For European organizations, the exposure of call history data through Spotlight search on iOS and iPadOS devices can have significant privacy implications, especially for employees handling sensitive or confidential communications. The unauthorized disclosure of call metadata could lead to breaches of data protection regulations such as the GDPR, resulting in legal and financial penalties. Organizations in sectors like finance, healthcare, legal, and government are particularly at risk due to the sensitivity of their communications. Additionally, the exposure could facilitate targeted phishing or social engineering attacks by revealing communication patterns or contacts. Since iOS and iPadOS devices are widely used in European corporate environments, the risk of inadvertent data leakage is non-trivial. Although the vulnerability does not allow direct system compromise or denial of service, the confidentiality breach alone can undermine trust and compliance efforts. The lack of required user interaction and the low complexity of exploitation increase the risk that malicious actors with limited privileges could access sensitive call history data. Therefore, the impact extends beyond individual privacy to organizational security posture and regulatory compliance.

European organizations should prioritize updating all iOS and iPadOS devices to version 18.5 or later to ensure the vulnerability is patched. Beyond patching, organizations should implement mobile device management (MDM) policies that restrict the installation and removal of apps to control the lifecycle of applications and associated data. Regular audits of device configurations and Spotlight indexing settings can help detect residual data exposure. Organizations should educate employees about the risks of sensitive data exposure through device features like Spotlight and encourage secure handling of communication apps. For highly sensitive environments, consider disabling or limiting Spotlight search capabilities on corporate devices or using configuration profiles to restrict indexing of call history data. Additionally, enforcing strong device access controls (e.g., biometric authentication, strong passcodes) can reduce the risk of unauthorized local access to exposed data. Monitoring for unusual access patterns or data leakage attempts related to call history information can also enhance detection capabilities. Finally, organizations should review their incident response plans to include scenarios involving privacy data exposure on mobile devices.