CVE-2025-31228 is a security vulnerability identified in Apple’s iOS and iPadOS operating systems that permits an attacker with physical access to a device to bypass lock screen protections and access notes stored on the device. The root cause is an authentication bypass related to the notes application’s lock screen integration, categorized under CWE-287 (Improper Authentication). This vulnerability allows unauthorized reading, modification, or deletion of notes without requiring the device passcode or biometric authentication. The issue affects all versions prior to iOS 18.5 and iPadOS 18.5, including iPadOS 17.7.7, where Apple has implemented improved authentication controls to mitigate the risk. The vulnerability is exploitable without user interaction and does not require any privileges, but physical possession of the device is mandatory. The CVSS v3.1 base score of 6.8 reflects a medium severity rating, with attack vector classified as physical access, low attack complexity, no privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability. Although no active exploits have been reported, the vulnerability poses a significant risk to sensitive information stored in notes, which may contain confidential or proprietary data. The flaw highlights the importance of robust lock screen security and authentication mechanisms in mobile operating systems to prevent data leakage from physical device compromise.

The primary impact of CVE-2025-31228 is unauthorized disclosure and potential modification or deletion of sensitive notes stored on Apple mobile devices. For organizations, this could lead to leakage of confidential business information, intellectual property, or personal data if devices are lost, stolen, or accessed by unauthorized personnel. The integrity of notes can also be compromised, potentially enabling attackers to alter information for malicious purposes. Availability impact arises if notes are deleted or corrupted. Since the vulnerability requires physical access, it primarily threatens environments where device theft or unauthorized physical access is plausible, such as in public spaces, travel, or shared work environments. The medium severity rating indicates a moderate but tangible risk, especially for sectors relying heavily on mobile devices for secure note-taking, such as legal, healthcare, finance, and government. The absence of known exploits reduces immediate risk, but the vulnerability’s presence in widely used Apple platforms means it could be targeted in the future, especially by adversaries with physical access capabilities.

To mitigate CVE-2025-31228, organizations and users should immediately update affected devices to iOS 18.5, iPadOS 18.5, or iPadOS 17.7.7 or later, where the vulnerability has been addressed with improved authentication controls. Beyond patching, users should enable strong device passcodes and biometric authentication to reduce the risk of unauthorized physical access. Disabling lock screen access to sensitive applications like Notes can further limit exposure. Organizations should enforce mobile device management (MDM) policies that restrict lock screen features and enforce encryption and remote wipe capabilities. Physical security controls should be enhanced to prevent device theft or unauthorized access, including secure storage and access monitoring. Regular audits of device security settings and user training on the risks of physical device compromise are recommended. Additionally, sensitive notes should be stored in encrypted containers or secure apps that require separate authentication beyond the device lock screen. Monitoring for lost or stolen devices and rapid response to such incidents will also reduce potential impact.