CVE-2025-31267 is a medium-severity authentication vulnerability affecting Apple’s App Store Connect application. The flaw arises from improper state management, which allows an attacker with physical access to an unlocked device to view sensitive user information without requiring authentication or user interaction. App Store Connect is a critical platform used by developers to manage their apps on the Apple App Store, including access to sensitive data such as app analytics, financial reports, and user information. The vulnerability does not allow modification or disruption of data (no integrity or availability impact), but it compromises confidentiality by exposing sensitive information. The issue has been addressed in App Store Connect version 3.0 by improving state management to prevent unauthorized data exposure. The CVSS 3.1 base score is 4.6, reflecting a medium severity primarily due to the requirement of physical access and the lack of need for authentication or user interaction. No known exploits are currently reported in the wild. This vulnerability is categorized under CWE-287 (Improper Authentication), indicating a failure in properly verifying user identity before granting access to sensitive information.

For European organizations, especially those involved in app development or managing apps on the Apple App Store, this vulnerability poses a risk of sensitive data leakage if devices running vulnerable versions of App Store Connect are left unlocked and accessible. The exposure of sensitive user information could lead to privacy violations, intellectual property theft, or reputational damage. Although the attack requires physical access, this risk is significant in environments where devices are shared, lost, or stolen, such as in offices, conferences, or remote work settings. The confidentiality breach could also have regulatory implications under GDPR, as unauthorized access to personal data must be reported and mitigated. The vulnerability does not allow attackers to alter data or disrupt services, limiting the impact to information disclosure only.

European organizations should ensure that all devices running App Store Connect are updated to version 3.0 or later, where the vulnerability is fixed. Strict physical security controls should be enforced to prevent unauthorized access to devices, including locking devices when unattended and using biometric or strong passcode protections. Organizations should implement policies requiring automatic screen locking after short periods of inactivity. Additionally, sensitive operations within App Store Connect should be performed on dedicated, secured devices rather than shared or public machines. Regular audits and monitoring for unauthorized access attempts can help detect potential exploitation. Training employees on the risks of leaving devices unlocked and the importance of physical security is also critical. Since no patch links are provided, organizations should monitor Apple’s official channels for updates and apply them promptly.