CVE-2025-41458 is a medium-severity vulnerability identified in Two App Studio's Journey application version 5.5.9 for iOS. The vulnerability arises from the cleartext storage of sensitive information within the app's local database. Specifically, sensitive data is stored unencrypted in the app's filesystem, which can be accessed directly by local attackers who have physical or logical access to the device's storage. This vulnerability is classified under CWE-312, indicating improper protection of sensitive information at rest. The CVSS v3.1 score is 5.5, reflecting a medium impact primarily due to the confidentiality breach potential. The attack vector is local (AV:L), requiring low privileges (PR:L) but no user interaction (UI:N). The vulnerability does not affect integrity or availability but compromises confidentiality significantly. Since the flaw involves local access to the device, exploitation requires that an attacker either has physical access to the device or has compromised it to the extent that they can browse the app's filesystem. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability affects version 5.5.9 of the Journey app on iOS, which is used for journaling or personal data management, implying that the sensitive data could include personal notes, location data, or other private information stored by users.

For European organizations, the primary impact of this vulnerability lies in the potential exposure of sensitive user data stored within the Journey app on iOS devices. Organizations that encourage or mandate the use of this app for employee journaling, mental health tracking, or personal data management could face confidentiality breaches if devices are lost, stolen, or accessed by unauthorized personnel. This could lead to violations of GDPR requirements concerning the protection of personal data, resulting in legal and financial repercussions. Additionally, if the compromised data includes business-sensitive information or personal identifiers, it could facilitate further social engineering or targeted attacks against the organization or its employees. The vulnerability does not directly affect system integrity or availability, but the loss of confidentiality could undermine trust in the organization’s data handling practices and potentially expose it to regulatory scrutiny.

To mitigate this vulnerability, organizations should first assess the usage of the Journey app within their environment and consider restricting its use on corporate devices until a patch is available. Users should be advised to enable device-level encryption and strong authentication mechanisms (e.g., biometric or strong passcodes) to reduce the risk of unauthorized local access. Application sandboxing and iOS security features should be leveraged to limit filesystem access. If possible, sensitive data should be manually encrypted before being stored in the app or alternative secure journaling applications with proper encryption should be recommended. Organizations should monitor for updates from Two App Studio and apply patches promptly once released. Additionally, implementing Mobile Device Management (MDM) policies to enforce encryption, restrict app installations, and remotely wipe lost or stolen devices can further reduce risk. User training on physical device security and awareness of the risks associated with local data storage is also critical.