CVE-2025-46287 is a critical security vulnerability identified in Apple’s FaceTime service across iOS, iPadOS, macOS, visionOS, and watchOS platforms. The root cause is an inconsistent user interface (UI) state management issue that allows an attacker to spoof the FaceTime caller ID. This means an attacker can manipulate the displayed caller information to impersonate another user, potentially a trusted contact. The vulnerability is classified under CWE-451, which relates to improper UI state management leading to spoofing. The flaw does not require any privileges or user interaction to exploit, making it remotely exploitable over the network. The CVSS v3.1 base score is 9.8, reflecting critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The issue was addressed in Apple’s security updates released for iOS and iPadOS versions 18.7.3 and 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, visionOS 26.2, and watchOS 26.2. Although no active exploits have been reported in the wild, the potential for misuse is significant given the ability to convincingly impersonate callers, which could facilitate phishing, social engineering, or unauthorized access to sensitive information.

The ability to spoof FaceTime caller ID undermines the trust model of caller identification, potentially enabling attackers to impersonate trusted contacts or organizations. This can lead to successful social engineering attacks, phishing attempts, and unauthorized disclosure of sensitive information. Organizations relying on Apple devices for communication may face increased risks of fraud, data breaches, and reputational damage. The vulnerability’s high CVSS score indicates that exploitation could compromise confidentiality, integrity, and availability of communications. Additionally, spoofed calls could be used to bypass security controls that rely on caller identity verification. The broad range of affected Apple platforms increases the scope of impact, affecting enterprises, government agencies, and individual users globally. The absence of required privileges or user interaction further elevates the risk, as attackers can exploit the flaw remotely and without user consent.

Organizations and users should immediately apply the security updates released by Apple for iOS 18.7.3 and 26.2, iPadOS 18.7.3 and 26.2, macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2, visionOS 26.2, and watchOS 26.2. Network administrators should monitor FaceTime traffic for anomalous patterns indicative of spoofing attempts. Implement multi-factor authentication and out-of-band verification for sensitive communications initiated via FaceTime or other VoIP services. Educate users to verify caller identities through secondary channels before disclosing sensitive information or performing critical actions. Consider deploying endpoint detection and response (EDR) solutions capable of detecting unusual FaceTime or communication app behaviors. Organizations should review and update incident response plans to include scenarios involving caller ID spoofing and social engineering attacks. Finally, restrict or monitor FaceTime usage in high-security environments until patches are applied.