CVE-2025-43542 is a vulnerability identified in Apple’s iOS, iPadOS, macOS, and visionOS platforms that arises when a device is remotely controlled via FaceTime. The flaw involves improper state management that causes password fields, which should be masked or hidden, to be unintentionally revealed during remote control sessions. This exposure could allow an attacker to view sensitive password information without requiring any user interaction or prior authentication, making the attack vector highly accessible. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 7.5, indicating high severity, with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning it is remotely exploitable over the network with low complexity, no privileges, and no user interaction needed, impacting confidentiality only. Apple has fixed this issue in versions iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, macOS Tahoe 26.2, and visionOS 26.2 by enhancing state management to prevent password fields from being exposed during remote control. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the sensitive nature of the data exposed and the ease of exploitation.

The primary impact of CVE-2025-43542 is the unauthorized disclosure of passwords during remote control sessions over FaceTime, compromising the confidentiality of user credentials. This can lead to unauthorized access to user accounts, services, and sensitive data if attackers capture passwords in real time. Since the vulnerability does not affect integrity or availability, the direct impact is limited to information disclosure. However, exposed passwords can facilitate further attacks such as account takeover, lateral movement within networks, and escalation of privileges. Organizations relying on Apple devices for remote support or collaboration are particularly vulnerable, as attackers could exploit this flaw to harvest credentials without alerting users. The ease of exploitation and lack of required privileges increase the risk of widespread abuse, especially in environments where remote control features are frequently used. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, emphasizing the need for timely patching.

To mitigate CVE-2025-43542, organizations and users should immediately update all affected Apple devices to the patched versions: iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, macOS Tahoe 26.2, and visionOS 26.2. Beyond patching, organizations should review and restrict the use of remote control features over FaceTime to trusted personnel only and consider disabling remote control capabilities if not essential. Implement network-level controls such as firewall rules to limit FaceTime traffic to known endpoints and monitor for unusual remote control session activity. Employ multi-factor authentication (MFA) on accounts to reduce the impact of password exposure. Conduct user awareness training to recognize suspicious remote control requests and encourage immediate reporting. Additionally, audit logs of remote control sessions should be enabled and regularly reviewed to detect potential exploitation attempts. Finally, consider deploying endpoint detection and response (EDR) solutions capable of identifying anomalous behavior related to remote control sessions.