CVE-2025-43190 is a vulnerability identified in Apple’s iOS and iPadOS operating systems, related to a parsing issue in the handling of directory paths. Specifically, the flaw involves insufficient validation of directory paths, categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). This weakness allows a malicious or compromised app to potentially access sensitive user data that should otherwise be protected. The vulnerability does not require any privileges (PR:N) but does require user interaction (UI:R), such as installing or running a malicious app. The attack vector is local (AV:L), meaning the attacker must have the ability to run code on the device. The vulnerability affects multiple Apple OS versions prior to iOS 26 and iPadOS 26, with fixes implemented in these latest releases as well as macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, visionOS 26, and watchOS 26. The CVSS v3.1 base score is 5.5, indicating a medium severity level, primarily due to the high confidentiality impact but limited integrity and availability impact. No known exploits have been reported in the wild to date. The vulnerability could be exploited by an app to bypass normal sandboxing or access controls, potentially exposing user data such as files, credentials, or personal information. This represents a significant privacy risk, especially in environments where sensitive data is stored on mobile devices. The fix involves improved path validation to ensure directory traversal or unauthorized path access is prevented.

The primary impact of CVE-2025-43190 is the unauthorized disclosure of sensitive user data on Apple iOS and iPadOS devices. If exploited, malicious apps could access files or data outside their intended sandbox, compromising user privacy and potentially exposing confidential information such as personal documents, credentials, or application data. This could lead to identity theft, corporate espionage, or leakage of sensitive business information. The vulnerability does not affect system integrity or availability directly, but the confidentiality breach alone can have severe consequences for individuals and organizations. Enterprises relying on Apple mobile devices for secure communications or data storage are at risk of data leakage. The requirement for user interaction and local access somewhat limits the attack scope, but social engineering or malicious app distribution could facilitate exploitation. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure. Organizations with BYOD policies or those deploying iOS/iPadOS devices in sensitive environments must consider this vulnerability a significant privacy risk.

1. Upgrade affected Apple devices to iOS 26, iPadOS 26, or later versions where the vulnerability is patched. Similarly, update macOS, visionOS, and watchOS devices to their respective fixed versions. 2. Enforce strict app vetting policies to prevent installation of untrusted or potentially malicious apps, including using Apple’s App Store and enterprise app management tools. 3. Implement mobile device management (MDM) solutions to control app permissions and restrict access to sensitive data directories. 4. Educate users about the risks of installing apps from untrusted sources and the importance of applying OS updates promptly. 5. Monitor device logs and behavior for unusual file access patterns or attempts to access restricted directories. 6. Consider deploying endpoint detection and response (EDR) tools that support iOS/iPadOS to detect suspicious app activities. 7. For high-security environments, limit the use of personal devices or enforce containerization to segregate sensitive data. 8. Regularly review and audit installed applications and their permissions to minimize attack surface.