CVE-2025-31271 is a vulnerability identified in Apple macOS that allows incoming FaceTime calls to appear or be accepted on a locked device, even when notifications are disabled on the lock screen. This behavior indicates a flaw in the state management of FaceTime call handling on macOS devices. Normally, when a device is locked and notifications are disabled on the lock screen, incoming calls or notifications should not be visible or actionable to prevent unauthorized access or information leakage. However, due to this vulnerability, an attacker or an unsolicited caller could cause FaceTime calls to be displayed or accepted without the device owner’s interaction or consent, potentially bypassing lock screen protections. This could lead to unauthorized audio or video communication initiated from the locked device, exposing sensitive information or enabling surveillance. The issue was addressed by Apple through improved state management in macOS Tahoe 26, indicating that earlier versions remain vulnerable. The affected versions are unspecified, but it is implied that all versions prior to macOS Tahoe 26 are at risk. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability does not require user interaction to display or accept calls, and it bypasses lock screen notification settings, which increases its severity. However, exploitation requires the attacker to initiate a FaceTime call to the target device, which may limit the attack surface to devices with reachable FaceTime accounts.

For European organizations, this vulnerability poses significant privacy and security risks, especially for employees using macOS devices in sensitive roles or handling confidential information. Unauthorized acceptance of FaceTime calls on locked devices could lead to eavesdropping, unauthorized recording, or leakage of sensitive conversations and data. This could compromise confidentiality and potentially integrity if attackers use the call channel to influence or manipulate users. The availability impact is limited but could disrupt normal device usage if exploited repeatedly. Organizations with remote or hybrid workforces relying on macOS devices are particularly vulnerable, as attackers could exploit this flaw to gain unauthorized access without physical device access. Additionally, sectors with strict data protection regulations, such as finance, healthcare, and government agencies in Europe, could face compliance risks and reputational damage if this vulnerability is exploited. The lack of user interaction requirement and bypass of lock screen notification settings make this vulnerability more dangerous in environments where devices are left unattended or locked but connected to networks. However, the absence of known exploits in the wild suggests that the threat is currently theoretical but should be addressed proactively.

European organizations should prioritize updating all macOS devices to macOS Tahoe 26 or later, where the vulnerability is fixed. Until updates can be deployed, organizations should consider disabling FaceTime on managed devices, especially for users in sensitive roles or handling confidential data. Implementing strict access controls and network-level restrictions to limit incoming FaceTime calls from unknown or untrusted contacts can reduce exposure. Organizations should also educate users about the risk of accepting unexpected FaceTime calls and encourage vigilance when devices are locked. Monitoring network traffic for unusual FaceTime call patterns may help detect exploitation attempts. Additionally, enforcing full disk encryption and strong device passcodes can mitigate risks associated with physical device access. IT administrators should review and tighten lock screen and notification settings, although this vulnerability bypasses some of these controls, layered security remains important. Finally, organizations should maintain an inventory of macOS devices and ensure timely patch management processes to quickly address such vulnerabilities in the future.