CVE-2025-43360 is a vulnerability identified in Apple’s iOS and iPadOS platforms that causes password fields to be unintentionally revealed due to a user interface flaw. The issue stems from improper handling of password field rendering, which may expose sensitive password data visually without requiring user interaction. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.5 (medium), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. The flaw affects unspecified versions prior to iOS and iPadOS 26, where Apple has implemented improved UI controls to prevent accidental password exposure. No public exploits or active exploitation campaigns have been reported. The vulnerability primarily risks confidentiality by potentially exposing passwords to unauthorized local users who have some level of access to the device, such as in shared device scenarios or where physical access controls are weak. The issue does not allow remote exploitation or compromise of device integrity or availability. The fix involves updating to iOS/iPadOS 26, which includes UI improvements to safeguard password fields from unintended display. Organizations relying on Apple mobile devices should prioritize patching and review device access policies to mitigate risks.

For European organizations, this vulnerability poses a confidentiality risk by potentially exposing passwords stored or entered on affected Apple devices. In environments where devices are shared, or where local access controls are insufficient (e.g., kiosks, shared workstations, or mobile devices in public or semi-public settings), unauthorized individuals could view sensitive password information. This could lead to credential compromise, unauthorized access to corporate systems, and subsequent data breaches. Although the vulnerability does not affect integrity or availability, the exposure of passwords can facilitate lateral movement or privilege escalation attacks. The risk is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government institutions. Organizations with mobile workforces relying on iOS/iPadOS devices must ensure timely updates and enforce strict physical device security policies to minimize exposure. The lack of known exploits reduces immediate risk but does not eliminate the need for proactive mitigation.

1. Upgrade all Apple iOS and iPadOS devices to version 26 or later, where the vulnerability is fixed with improved UI handling of password fields. 2. Implement strict physical security controls to prevent unauthorized local access to devices, especially in shared or public environments. 3. Enforce device lock policies with strong authentication mechanisms (e.g., biometrics, strong passcodes) to limit local access. 4. Educate users about the risk of password exposure on shared devices and encourage use of password managers that mask credentials securely. 5. Review and restrict the use of shared or kiosk-mode devices running vulnerable iOS/iPadOS versions until patched. 6. Monitor for unusual access patterns or credential misuse that could indicate exploitation of exposed passwords. 7. Coordinate with Apple support and security advisories to stay informed about any emerging exploits or additional patches. 8. Consider deploying Mobile Device Management (MDM) solutions to enforce update compliance and security policies across all managed Apple devices.