CVE-2025-31271 is a vulnerability in Apple macOS that allows incoming FaceTime calls to be displayed or accepted on a device even when it is locked and notifications are disabled on the lock screen. The root cause is improper state management in the FaceTime call handling process, which fails to enforce lock screen restrictions effectively. This flaw enables an attacker to bypass the lock screen's intended protections, potentially accepting calls without the device owner's knowledge or consent. The vulnerability is exploitable remotely without requiring any privileges or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is primarily on the integrity of the device's access controls, as unauthorized call acceptance could lead to privacy breaches or unauthorized communication. The issue was addressed in macOS Tahoe 26 through improved state management mechanisms. Although no exploits have been observed in the wild, the vulnerability poses a significant risk due to the ease of exploitation and the sensitive nature of FaceTime communications. The vulnerability is classified under CWE-287, which relates to improper authentication or authorization mechanisms. Organizations relying on macOS devices should be aware of this vulnerability and apply patches promptly to mitigate risks.

For European organizations, this vulnerability could lead to unauthorized access to FaceTime calls on locked macOS devices, potentially exposing sensitive communications or enabling social engineering attacks. The ability to accept calls without user consent undermines device security and user privacy, which is critical for sectors handling confidential information such as finance, healthcare, and government. The flaw could be exploited to bypass physical device security controls, increasing the risk of espionage or data leakage. Since macOS devices are widely used in European corporate environments, especially in countries with high Apple market penetration, this vulnerability could affect a broad range of users. The absence of required privileges or user interaction for exploitation increases the threat level. Although no active exploitation is reported, the potential for misuse necessitates urgent remediation to maintain compliance with European data protection regulations like GDPR and to protect organizational assets.

European organizations should immediately update all macOS devices to macOS Tahoe 26 or later, where the vulnerability is fixed. In addition to patching, organizations should audit and enforce strict device lock policies, ensuring that lock screens are configured to minimize exposure to incoming call notifications. Disable or restrict FaceTime usage on corporate devices where possible, especially in high-security environments. Implement mobile device management (MDM) solutions to centrally enforce update policies and monitor device compliance. Educate users about the risks of accepting calls on locked devices and encourage reporting of suspicious activity. Network-level controls could be used to restrict FaceTime traffic temporarily if patch deployment is delayed. Finally, review and enhance endpoint security monitoring to detect anomalous call acceptance or unusual FaceTime activity that could indicate exploitation attempts.