CVE-2025-49846 is a medium-severity vulnerability affecting the Wire iOS client application versions from 3.111.1 up to but not including 3.124.1. Wire is a secure messaging platform, and the iOS client is widely used for encrypted communications. The vulnerability arises due to improper output neutralization for logs (CWE-117) combined with sensitive data being logged in clear text (CWE-532). Specifically, messages visible in the viewport of the Wire iOS app were inadvertently logged to the iOS system logs in plaintext. This occurred when the app called the iOS API canOpenUrl() with an invalid URL object, causing iOS to log the URL contents to the system log. This logging behavior is undocumented by Apple. Importantly, the Wire app’s own logs, including those exportable to support, were not affected. The sensitive data exposure is limited to the iOS system logs, which can only be accessed if an attacker has physical access to an unlocked device. Wire addressed this issue with an emergency patch in version 3.124.1. The only workaround prior to patching is to reset the iOS device to clear the system logs, as Wire cannot modify or delete iOS system logs. The CVSS 4.0 vector indicates local attack vector, low attack complexity, partial privileges required, partial user interaction, and high impact on confidentiality but no impact on integrity or availability. There are no known exploits in the wild at this time.

For European organizations using Wire iOS clients, this vulnerability poses a risk of sensitive message exposure if an attacker gains physical access to an unlocked device. This could lead to confidentiality breaches of sensitive communications, potentially exposing personal data, corporate secrets, or other confidential information. The impact is mitigated by the requirement for physical access and an unlocked device, limiting remote exploitation. However, in environments where devices are shared, lost, or stolen, this vulnerability could facilitate insider threats or opportunistic data theft. Given Wire’s use in privacy-conscious sectors, including legal, healthcare, and corporate communications, the exposure of message content—even temporarily—could have regulatory and reputational consequences under GDPR and other data protection laws. The vulnerability does not affect message integrity or availability, and no remote exploitation is possible, limiting the scope of impact primarily to confidentiality on compromised devices.

European organizations should immediately update all Wire iOS clients to version 3.124.1 or later to remediate this vulnerability. Until updates are deployed, organizations should enforce strict physical security controls over iOS devices, including mandatory device locking with strong passcodes or biometric authentication to prevent unauthorized access. Device management solutions should be used to monitor and restrict physical access risks. Users should be instructed to reset their iOS devices to clear existing system logs if they suspect exposure. Additionally, organizations should review their incident response and data protection policies to address potential data exposure from lost or stolen devices. Regular audits of device security posture and user training on physical security best practices are recommended. Since Wire cannot control iOS system logs, reliance on OS-level security is critical. Finally, organizations should monitor for any updates from Apple regarding logging behavior and consider reporting any suspicious device access attempts.