CVE-2025-43280 is a vulnerability in Apple’s iOS and iPadOS Mail applications that affects the Lockdown Mode security feature. Lockdown Mode is designed to provide enhanced security by restricting certain functionalities, including the loading of remote content such as images in emails, to reduce attack surfaces and prevent information leakage. However, this vulnerability allows remote images to be loaded when a user forwards an email, bypassing the intended restriction. The remote images can be used by attackers to confirm user activity, track user behavior, or potentially fingerprint devices by triggering network requests to attacker-controlled servers. The vulnerability does not allow modification of email content or compromise of device integrity but undermines the privacy guarantees of Lockdown Mode. The issue was addressed by Apple in iOS and iPadOS 18.6, where remote image loading is explicitly disabled during email forwarding in Lockdown Mode. The CVSS 3.1 base score is 4.7 (medium), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction (forwarding an email). The scope is changed because the vulnerability affects the confidentiality of information outside the vulnerable component. No known exploits have been reported in the wild. This vulnerability is classified under CWE-940, which relates to improper restriction of operations within the security boundary.

The primary impact of this vulnerability is a privacy breach rather than a direct compromise of device security or data integrity. Attackers can leverage the loading of remote images to confirm that a user has forwarded an email, potentially revealing user behavior and presence. This can be exploited for targeted phishing campaigns, user tracking, or reconnaissance by threat actors. Organizations relying on Lockdown Mode for enhanced security and privacy, such as journalists, activists, or government personnel, may have their operational security weakened. While the vulnerability does not allow code execution or data modification, the leakage of user activity information can facilitate further targeted attacks. The impact is limited to devices running vulnerable iOS and iPadOS versions with Lockdown Mode enabled and users who forward emails containing remote images.

To mitigate this vulnerability, organizations and users should update all affected Apple devices to iOS and iPadOS version 18.6 or later, where the issue is fixed. Until updates are applied, users should avoid forwarding emails that contain remote images while Lockdown Mode is enabled. Administrators can enforce update policies and educate users about the risks of forwarding emails with remote content in Lockdown Mode. Additionally, disabling automatic loading of remote images globally in the Mail app settings can reduce exposure. Monitoring network traffic for unusual requests to external image servers may help detect exploitation attempts. Apple’s Lockdown Mode settings should be reviewed regularly to ensure they are configured according to organizational security policies.