CVE-2025-43459 is an authentication bypass vulnerability identified in Apple watchOS, specifically affecting the Live Voicemail feature. The root cause is an authentication issue due to improper state management, which allows an attacker with physical access to a locked Apple Watch to bypass authentication controls and view Live Voicemail content. This vulnerability does not require the attacker to have any prior privileges or user interaction, making it a direct physical access exploit. The vulnerability affects all watchOS versions prior to 26.1, where Apple implemented improved state management to fix the issue. The CVSS v3.1 score is 4.6, reflecting a medium severity level, with a vector indicating physical access (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). The vulnerability is categorized under CWE-863 (Incorrect Authorization). No public exploits have been reported, and no patch links are provided beyond the mention of watchOS 26.1 as the fixed version. The vulnerability primarily threatens the confidentiality of voicemail data accessible via the Apple Watch, which could lead to privacy breaches if exploited.

The primary impact of CVE-2025-43459 is the compromise of confidentiality. An attacker with physical access to a locked Apple Watch can view Live Voicemail content without authentication, potentially exposing sensitive personal or corporate information contained in voicemail messages. This could lead to privacy violations, social engineering attacks, or leakage of confidential communications. Since the vulnerability does not affect integrity or availability, the device’s operation and data modification remain secure. However, the requirement for physical access limits the attack vector to scenarios where the device is unattended or stolen. Organizations with employees who use Apple Watches for business communications may face increased risk of sensitive data exposure. The lack of known exploits reduces immediate risk, but the vulnerability remains a concern until devices are updated. The impact is particularly relevant in sectors handling sensitive information such as finance, healthcare, and government.

To mitigate CVE-2025-43459, organizations and users should promptly update all affected Apple Watches to watchOS 26.1 or later, where the vulnerability is fixed through improved state management. Physical security controls should be enhanced to prevent unauthorized access to devices, including enforcing strict policies on device handling and storage. Consider disabling Live Voicemail features on Apple Watches if not essential, reducing the attack surface. Employ multi-factor authentication and strong passcodes on paired iPhones to limit voicemail access. Regularly audit device usage and educate users about the risks of leaving devices unattended. For organizations, implement endpoint management solutions to enforce timely OS updates and monitor device compliance. Additionally, review voicemail system configurations to ensure voicemail content is protected at the source and consider alternative secure communication methods if voicemail confidentiality is critical.