CVE-2025-31253 is a vulnerability identified in Apple’s iOS and iPadOS platforms affecting the FaceTime application’s microphone mute functionality. The root cause is improper state management (classified under CWE-672), where the system fails to correctly update the microphone’s mute state during a FaceTime call. As a result, when a user mutes their microphone, audio may still be transmitted, violating user expectations and potentially exposing sensitive conversations. This vulnerability affects all versions prior to iOS and iPadOS 18.5, with Apple addressing the issue through improved state management in the 18.5 update. The CVSS 3.1 base score is 7.1, reflecting a high severity due to the confidentiality impact (unauthorized audio capture), partial availability impact (microphone remains active), and the fact that exploitation requires local access with user interaction (muting the microphone during a call). The attack vector is local (AV:L), meaning the attacker must be physically or logically present on the device. No known exploits have been reported in the wild, but the vulnerability poses a risk to privacy and confidentiality, especially in sensitive or corporate environments where FaceTime is used for communication. The vulnerability’s CWE classification (CWE-672) indicates a flaw in state management logic, which can lead to inconsistent or unexpected behavior in software components. This issue highlights the importance of rigorous state tracking in real-time communication applications to ensure user controls function as intended.

The primary impact of CVE-2025-31253 is a breach of confidentiality, as users who believe their microphone is muted during a FaceTime call may inadvertently transmit audio. This can lead to leakage of sensitive or private information, potentially compromising personal privacy or corporate secrets. The integrity of the communication is not directly affected, but the availability is partially impacted since the microphone remains active despite user intent to mute, which can disrupt trust in the application’s controls. Organizations relying on FaceTime for confidential discussions, including government agencies, legal firms, healthcare providers, and enterprises, may face increased risk of information exposure. The vulnerability requires local device access and user interaction, limiting remote exploitation but still posing a significant risk if devices are shared, lost, or accessed by unauthorized users. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Overall, the vulnerability undermines user trust in device privacy controls and could lead to regulatory or compliance issues if sensitive data is leaked.

To mitigate CVE-2025-31253, organizations and users should promptly update all affected Apple devices to iOS and iPadOS version 18.5 or later, where the vulnerability has been fixed. Beyond patching, users should verify the microphone mute functionality during FaceTime calls to ensure it behaves as expected. For environments requiring high confidentiality, consider implementing additional controls such as disabling FaceTime or restricting its use on corporate devices until patched. Employ mobile device management (MDM) solutions to enforce timely updates and monitor device compliance. Educate users about the risk of assuming microphone mute is effective and encourage cautious use of FaceTime for sensitive conversations until devices are updated. Additionally, consider alternative secure communication platforms with verified mute functionality for critical discussions. Regularly audit device settings and permissions to minimize unauthorized access that could exploit this vulnerability. Finally, monitor Apple security advisories for any updates or related vulnerabilities.