CVE-2025-43201 is a medium-severity vulnerability affecting the Apple Music Classical application on Android devices. The vulnerability allows an app to unexpectedly leak a user's credentials, which implies that sensitive authentication information could be exposed to unauthorized parties. The issue stems from insufficient validation or improper handling of credential data within the app, categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability does not require user interaction or privileges (AV:L/AC:L/PR:N/UI:N), meaning it can be exploited locally without authentication or user consent, but requires local access to the device. The confidentiality impact is high as it directly compromises user credentials, while integrity and availability impacts are not affected. The vulnerability was addressed by Apple in version 2.3 of Apple Music Classical for Android through improved checks to prevent credential leakage. No known exploits are reported in the wild as of the publication date, and the affected versions are unspecified, indicating that users running versions prior to 2.3 are potentially vulnerable. The vulnerability's CVSS score is 6.2, reflecting a medium severity level due to the local attack vector and lack of required privileges, but significant confidentiality impact.

For European organizations, this vulnerability poses a risk primarily to employees or users who have Apple Music Classical installed on their Android devices, especially if these devices are used for work purposes or contain corporate credentials. Credential leakage could lead to unauthorized access to user accounts, potentially exposing personal or corporate data if credentials are reused or linked to enterprise systems. While the vulnerability requires local access, it could be exploited by malicious apps or actors with physical or logical access to the device, such as through malware or insider threats. The impact is heightened in sectors with strict data protection regulations like GDPR, as credential exposure could lead to data breaches and regulatory penalties. Additionally, organizations with Bring Your Own Device (BYOD) policies may face increased risk if employees use vulnerable versions of the app on their personal devices connected to corporate networks.

European organizations should ensure that all Android devices running Apple Music Classical are updated to version 2.3 or later, where the vulnerability is fixed. Mobile device management (MDM) solutions can be used to enforce app updates and monitor installed app versions. Organizations should also restrict installation of untrusted or unnecessary apps to reduce the risk of local exploitation. Implementing endpoint security solutions that detect suspicious local app behavior can help identify attempts to access credential data. Educating users about the risks of installing apps from unverified sources and encouraging strong, unique passwords or multi-factor authentication (MFA) can mitigate the impact of credential leakage. For sensitive environments, consider restricting or monitoring the use of consumer media apps on corporate devices. Regular audits of app permissions and credential storage practices on devices can further reduce exposure.