CVE-2025-55031 is a critical security vulnerability affecting Mozilla Firefox for iOS and Focus for iOS versions below 142. The vulnerability arises from the browser's handling of FIDO authentication links, specifically the hybrid passkey transport mechanism. Malicious web pages can craft FIDO: links that interact with the iOS operating system to initiate passkey authentication processes. An attacker physically located within Bluetooth range of the victim can exploit this by tricking the user’s device into using their FIDO passkey to authenticate the attacker’s device to the victim’s account. This attack does not require user interaction or prior authentication, making it highly dangerous. The vulnerability is categorized under CWE-601, indicating an open redirect or improper URL handling issue that facilitates this attack vector. The CVSS v3.1 base score of 9.8 reflects the vulnerability’s critical nature, with network attack vector, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the potential for account takeover and unauthorized access is significant. The vulnerability affects all Firefox for iOS and Focus for iOS installations prior to version 142, which are widely used browsers on Apple mobile devices. This flaw highlights the risks associated with hybrid authentication mechanisms and the importance of secure handling of FIDO passkey transports in mobile browsers.

For European organizations, this vulnerability poses a severe risk to user account security, especially for employees or users relying on Firefox or Focus browsers on iOS devices. The ability for an attacker to authenticate to a victim’s account without user interaction or credentials can lead to unauthorized access to sensitive corporate resources, data breaches, and potential lateral movement within networks. Organizations with mobile workforces or those in sectors with high Bluetooth device density (e.g., urban offices, conferences) are particularly vulnerable. The compromise of user accounts could result in loss of confidentiality, integrity, and availability of critical systems and data. Additionally, the attack vector requiring Bluetooth proximity means that physical security and device management policies become crucial. The vulnerability could also undermine trust in FIDO-based authentication methods if exploited at scale, impacting broader security postures.

Organizations should prioritize updating Firefox for iOS and Focus for iOS to version 142 or later as soon as patches become available. Until patches are deployed, restricting Bluetooth access on iOS devices, especially in high-risk environments, can reduce the attack surface. Implementing strict device usage policies that limit browser use on iOS devices in sensitive areas can help mitigate risk. Network segmentation and monitoring for unusual authentication patterns related to FIDO passkeys should be enhanced. Educating users about the risks of connecting to unknown Bluetooth devices and encouraging vigilance when browsing untrusted sites is important. Additionally, organizations should review their FIDO authentication configurations and consider multi-factor authentication fallback mechanisms that do not rely solely on passkeys vulnerable to this attack. Security teams should monitor Mozilla advisories for updates and any emerging exploit reports.