CVE-2025-43356 is a vulnerability affecting Apple iOS and iPadOS platforms, as well as other Apple operating systems including tvOS, Safari, visionOS, watchOS, and macOS Tahoe. The core issue involves improper handling of caches that allows a website to access sensor information without obtaining explicit user consent. Sensor information typically includes data from accelerometers, gyroscopes, ambient light sensors, and other device sensors that can reveal sensitive contextual information about the user’s environment and behavior. This vulnerability arises because the caching mechanism did not adequately enforce permission checks before granting access to sensor data, enabling malicious websites to bypass user consent dialogs. The vulnerability was addressed by Apple through improved cache handling in updates to the affected operating systems, specifically in versions tvOS 26, Safari 26, iOS 18.7, iPadOS 18.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26, and iPadOS 26. The affected versions prior to these updates are unspecified, but the vulnerability is present in iOS and iPadOS versions before 18.7 and 26 respectively. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability’s exploitation does not require user authentication but involves user interaction in the form of visiting a malicious website. However, the bypass of user consent mechanisms significantly raises the risk of unauthorized data collection and privacy invasion.

For European organizations, this vulnerability poses significant privacy and security risks. Unauthorized access to sensor data can be leveraged for user tracking, behavioral profiling, or even side-channel attacks that infer sensitive information such as physical location, device orientation, or user activities. Organizations handling sensitive personal data or operating in regulated sectors such as finance, healthcare, or government could face compliance issues under GDPR if sensor data is collected without user consent. Additionally, attackers could use this vulnerability as a foothold for further attacks, such as fingerprinting devices to bypass other security controls or to facilitate targeted phishing campaigns. The risk is amplified in environments where iOS and iPadOS devices are widely used for business operations, remote work, or customer interactions. Although no active exploits are known, the potential for abuse once the vulnerability is publicly disclosed and before patch adoption is high. This could lead to reputational damage, regulatory penalties, and loss of customer trust for European organizations.

European organizations should prioritize updating all Apple devices to the patched versions as soon as possible—specifically iOS 18.7, iPadOS 18.7, and corresponding updates for other Apple platforms. Network-level controls such as web filtering and DNS filtering can help block access to known malicious websites that might exploit this vulnerability. Organizations should also review and tighten privacy settings on managed devices to restrict sensor data access where possible. Implementing Mobile Device Management (MDM) solutions to enforce timely OS updates and monitor device compliance is critical. User awareness training should emphasize the risks of visiting untrusted websites and the importance of installing updates promptly. For high-risk environments, consider disabling or limiting sensor access in browsers or using browser extensions that control sensor permissions. Finally, organizations should monitor threat intelligence feeds for any emerging exploits related to this vulnerability to respond rapidly.