CVE-2025-43356 is a vulnerability identified in Apple’s iOS and iPadOS platforms, as well as related operating systems including watchOS, tvOS, and visionOS. The root cause lies in improper handling of caches within Safari and the underlying OS, which allows a malicious website to bypass user consent mechanisms and access sensor information. Sensor data can include accelerometer, gyroscope, ambient light, and other environmental sensors that typically require explicit user permission to access. This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability affects unspecified versions prior to the patched releases: Safari 26, tvOS 26, watchOS 26, iOS 26, iPadOS 26, visionOS 26, iOS 18.7, and iPadOS 18.7. Exploitation requires a user to visit a crafted malicious website, but no prior authentication or elevated privileges are needed, making the attack vector remote and relatively easy to execute. The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). The primary security concern is the unauthorized disclosure of sensitive sensor data, which can be used to infer user behavior, location context, or other private information. Apple addressed this vulnerability by improving cache handling mechanisms to prevent unauthorized sensor data access. No public exploits or active exploitation in the wild have been reported as of the publication date. This vulnerability highlights the importance of strict permission enforcement and cache management in modern web browsers and mobile OS environments.

For European organizations, the unauthorized access to sensor information can lead to significant privacy violations, potentially exposing sensitive user behavioral data or contextual information that could be leveraged for targeted attacks, surveillance, or profiling. This is particularly concerning for sectors handling sensitive personal data such as finance, healthcare, and government services. The confidentiality breach could undermine compliance with GDPR and other privacy regulations, resulting in legal and reputational consequences. Since the vulnerability requires user interaction via visiting a malicious website, phishing or drive-by download campaigns could be used to exploit it. The lack of impact on integrity and availability limits the threat to data exposure rather than system disruption. However, the widespread use of Apple devices in Europe, especially in business and government environments, increases the risk surface. Organizations relying on iOS/iPadOS devices for mobile workforce or customer-facing applications must consider this vulnerability a privacy risk and prioritize patching to maintain trust and regulatory compliance.

1. Immediately update all Apple devices to the patched versions: iOS 26, iPadOS 26, Safari 26, and corresponding versions for watchOS, tvOS, and visionOS. 2. Enforce strict mobile device management (MDM) policies to ensure timely deployment of security updates across organizational devices. 3. Configure Safari and other browsers to limit or prompt for sensor access permissions, minimizing automatic granting of sensor data to websites. 4. Educate users about the risks of visiting untrusted or suspicious websites, emphasizing caution with links received via email or messaging platforms. 5. Employ network-level protections such as DNS filtering or web proxies to block access to known malicious domains or phishing sites. 6. Monitor network traffic and device logs for unusual sensor data access patterns or suspicious web activity. 7. Review and audit third-party applications that may leverage sensor data to ensure they comply with updated security policies. 8. Consider deploying endpoint detection and response (EDR) solutions capable of detecting anomalous browser behavior related to sensor data access.