CVE-2025-43418 is a vulnerability in Apple’s iOS and iPadOS operating systems that allows an attacker with physical access to a locked device to view sensitive user information without authentication. The root cause is insufficient restriction of options presented on the lock screen, which could be manipulated to expose confidential data. This vulnerability falls under CWE-284 (Improper Access Control), indicating that the system failed to enforce proper access restrictions on sensitive information when the device is locked. Apple fixed this issue in iOS and iPadOS versions 18.7.2 and 26.1 by restricting the options available on the lock screen, thereby preventing unauthorized data exposure. The CVSS v3.1 base score is 4.6, with an attack vector of physical access (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild as of the publication date. The vulnerability primarily threatens confidentiality by allowing data leakage from locked devices, which could include personal information, credentials, or sensitive corporate data accessible via lock screen features. The issue is particularly relevant for organizations with mobile workforces relying on Apple devices, as physical device theft or loss could lead to unauthorized data disclosure. The lack of required user interaction and privileges makes this vulnerability easier to exploit once physical access is obtained, but the necessity of physical access limits remote exploitation possibilities.

For European organizations, this vulnerability poses a risk of sensitive data leakage if devices are lost or stolen and not promptly updated. Confidential information accessible via lock screen features could be exposed, potentially leading to privacy violations, intellectual property loss, or compliance issues under regulations such as GDPR. The impact is heightened in sectors with high mobility and use of Apple devices, including finance, healthcare, and government. While the vulnerability does not allow modification or denial of service, the confidentiality breach could facilitate further attacks or social engineering. Organizations with bring-your-own-device (BYOD) policies may face increased risk if personal devices are used for corporate access and are not updated. The physical access requirement means that the threat is more relevant in environments where device theft or unauthorized physical access is plausible, such as public spaces, travel, or shared workspaces. Overall, the impact is moderate but significant enough to warrant immediate remediation to protect sensitive user and corporate data.

1. Immediately update all iOS and iPadOS devices to versions 18.7.2 or 26.1 or later to apply the security fix. 2. Enforce strict physical security policies for mobile devices, including secure storage and handling to prevent unauthorized physical access. 3. Implement device management solutions (MDM) to enforce OS updates and monitor device compliance. 4. Configure lock screen settings to minimize exposure of sensitive information, such as disabling notifications and limiting lock screen widgets. 5. Educate employees on the risks of device loss and the importance of reporting missing devices promptly. 6. Use strong passcodes and biometric authentication to add layers of protection beyond the lock screen. 7. Consider remote wipe capabilities and ensure they are enabled and tested regularly. 8. Review and restrict access to sensitive data on mobile devices where possible, applying the principle of least privilege. 9. Monitor for unusual access patterns or data exfiltration attempts that could indicate exploitation of physical access vulnerabilities. These measures go beyond generic advice by focusing on operational controls and device configuration tailored to this specific vulnerability.