CVE-2025-43542 is a vulnerability identified in Apple’s iOS and iPadOS operating systems, specifically related to the remote control functionality over FaceTime. The flaw stems from inadequate state management during remote control sessions, which can cause password input fields to be unintentionally revealed to the remote party. This exposure occurs without requiring any user interaction or authentication, making it a remotely exploitable issue with a high confidentiality impact. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It affects multiple Apple platforms, including iOS, iPadOS, macOS (Tahoe and Sequoia versions), and visionOS, with fixes released in versions 18.7.3 and 26.2 respectively. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and a direct impact on confidentiality. Although no active exploits have been reported, the potential for attackers to remotely view passwords during FaceTime remote control sessions presents a serious risk to user privacy and security. The vulnerability could be leveraged to capture credentials for sensitive services, leading to further compromise of user accounts and organizational resources.

For European organizations, this vulnerability could lead to unauthorized disclosure of passwords and sensitive authentication data, undermining the confidentiality of user credentials. This exposure can facilitate subsequent attacks such as unauthorized access to corporate accounts, data breaches, and lateral movement within networks. Organizations relying heavily on Apple devices for communication and remote support via FaceTime are particularly vulnerable. The risk is amplified in sectors handling sensitive data, including finance, healthcare, and government, where credential theft can have severe regulatory and operational consequences. Additionally, the vulnerability could erode trust in remote collaboration tools and increase the attack surface for espionage or insider threats. Given the ease of exploitation and the critical nature of the data exposed, the impact on confidentiality is significant, though integrity and availability remain unaffected.

European organizations should immediately deploy the security updates released by Apple for iOS 18.7.3, iPadOS 18.7.3, macOS Tahoe 26.2, macOS Sequoia 15.7.3, and visionOS 26.2 to remediate this vulnerability. Until patches are applied, organizations should disable or restrict the use of FaceTime remote control features, especially on devices used for sensitive operations. Implement strict access controls and monitoring for remote sessions initiated via FaceTime to detect any unauthorized or suspicious activity. Educate users about the risks of remote control sessions and encourage vigilance when sharing screen or device control. Incorporate endpoint detection and response (EDR) solutions capable of identifying anomalous remote access behaviors. Finally, review and enhance credential management policies, including multi-factor authentication (MFA), to reduce the impact of potential credential exposure.