CVE-2025-45157 is a security vulnerability identified in the Splashin iOS application version 2.0. The core issue stems from insecure permissions management within the app, which allows unauthorized attackers to access location data of specific users. Location data is highly sensitive as it can reveal users' real-time or historical whereabouts, potentially exposing them to privacy violations, stalking, or other malicious activities. The vulnerability likely arises from improper access control mechanisms or misconfigured data storage/sharing policies within the app, enabling attackers to bypass authentication or authorization checks. Although the exact technical vector is not detailed, the flaw compromises confidentiality by exposing sensitive location information without user consent. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. Additionally, no patches or fixes have been publicly released, indicating that users of Splashin iOS v2.0 remain at risk until remediation is available. The vulnerability was reserved in April 2025 and published in July 2025, suggesting recent discovery and disclosure.

For European organizations, especially those handling user data or providing services through the Splashin iOS app, this vulnerability poses significant privacy and compliance risks. Unauthorized access to location data can lead to breaches of the EU General Data Protection Regulation (GDPR), which mandates strict controls over personal data processing and protection. Organizations could face legal penalties, reputational damage, and loss of user trust if user location information is exposed. Furthermore, if the app is used in critical sectors such as transportation, logistics, or emergency services, the compromise of location data could disrupt operations or endanger individuals. The lack of a patch increases the window of exposure, and even though no exploits are currently known, attackers may develop methods to leverage this vulnerability. European users of Splashin iOS v2.0 are therefore at risk of privacy invasion and potential targeted attacks based on their location information.

Given the absence of an official patch, European organizations and users should take immediate steps to mitigate risk. First, restrict or disable the Splashin iOS app on corporate or managed devices until a fix is released. Conduct an audit of installed applications to identify affected versions and remove or update them accordingly. Implement strict mobile device management (MDM) policies to control app permissions, especially location access, enforcing the principle of least privilege. Educate users about the risks of sharing location data and encourage them to review app permissions regularly. Network-level controls such as VPNs or secure tunnels can help obscure location data from unauthorized interception. Organizations should monitor for unusual access patterns or data exfiltration attempts related to the app. Finally, maintain close communication with the app vendor for updates and apply patches promptly once available.