CVE-2025-43356 is a vulnerability identified in Apple’s iOS and iPadOS platforms, as well as related operating systems like tvOS, Safari, visionOS, watchOS, and macOS Tahoe. The core issue stems from improper handling of caches that allowed websites to bypass user consent mechanisms and access sensor information directly. Sensor data can include accelerometer, gyroscope, proximity, and other environmental sensors, which can reveal sensitive user context or behavior. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 6.5, indicating a medium severity level, with an attack vector of network (remote website), low attack complexity, no privileges required, but user interaction is necessary (visiting a malicious website). The impact is primarily on confidentiality, as sensor data could be exposed without user permission, but there is no impact on integrity or availability. Apple has released patches in versions iOS 18.7, iPadOS 18.7, and corresponding updates for other affected platforms to improve cache handling and prevent unauthorized sensor data access. No known exploits have been reported in the wild at the time of publication. This vulnerability highlights the risks of web-based sensor data access and the importance of strict permission controls in mobile operating systems.

For European organizations, the unauthorized access to sensor data can lead to significant privacy violations, especially for sectors handling sensitive personal or corporate information such as finance, healthcare, and government. Sensor data can be used to infer user activities, locations, or behavioral patterns, potentially enabling targeted surveillance or profiling. This could result in non-compliance with GDPR and other privacy regulations, leading to legal and reputational damage. The vulnerability could be exploited via malicious websites, making it a risk for employees accessing the web on corporate or personal Apple devices. Although the vulnerability does not allow code execution or system compromise, the confidentiality breach alone can have serious consequences in environments requiring strict data privacy. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

European organizations should prioritize updating all Apple devices to iOS 18.7, iPadOS 18.7, and other patched OS versions as soon as they become available. Enterprise mobility management (EMM) solutions should enforce update policies and restrict access to untrusted websites. Organizations can also configure browser settings or use content security policies to limit sensor data access or disable sensor APIs where feasible. User awareness training should emphasize the risks of visiting untrusted websites and the importance of applying system updates promptly. Network-level protections such as web filtering and DNS filtering can help block access to known malicious domains. Additionally, monitoring for unusual sensor data access patterns or anomalous web traffic on corporate networks can provide early detection of exploitation attempts. Finally, reviewing and tightening privacy settings on Apple devices can reduce the attack surface.