CVE-2025-60022 identifies an improper certificate validation vulnerability in the 'デジラアプリ' iOS application developed by KDDI CORPORATION, affecting versions prior to 80.10.00. The flaw arises because the app fails to correctly validate SSL/TLS certificates during encrypted communications, which is a fundamental security mechanism to prevent interception or tampering. This improper validation can be exploited by an attacker positioned in a man-in-the-middle role, such as on a compromised Wi-Fi network or by DNS spoofing, to intercept or alter data transmitted between the app and its backend servers. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. The CVSS 3.0 score of 4.8 reflects a medium severity, with low impact on confidentiality and integrity, no impact on availability, and high attack complexity. No public exploits have been reported, but the risk remains significant for sensitive communications. The vulnerability was published on November 17, 2025, by JPCERT, and no official patch links are provided in the data, but upgrading to version 80.10.00 or later is implied as the remediation. This vulnerability highlights the critical importance of robust certificate validation in mobile applications, especially those handling sensitive or personal data.

For European organizations, the impact of this vulnerability depends largely on their use of the 'デジラアプリ' iOS app, which is primarily targeted at Japanese users but may be used by European companies with operations or customers in Japan. If exploited, attackers could intercept or manipulate sensitive communications, potentially leading to data leakage, privacy violations, or fraudulent transactions. Although the CVSS score indicates medium severity, the risk is heightened in environments where sensitive personal or corporate data is transmitted. The lack of user interaction or privileges required for exploitation increases the threat surface. European organizations involved in telecommunications, finance, or services linked to Japanese markets could face reputational damage and compliance issues under GDPR if personal data is compromised. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Overall, the vulnerability could undermine trust in secure communications and affect cross-border business operations.

1. Immediate upgrade to version 80.10.00 or later of the 'デジラアプリ' iOS app once available, as this version addresses the certificate validation flaw. 2. Until the update is applied, restrict app usage to trusted networks and avoid public or unsecured Wi-Fi to reduce MITM attack risks. 3. Implement network-level TLS inspection and anomaly detection to identify suspicious certificate behavior or unusual traffic patterns associated with the app. 4. Educate users about the risks of connecting to untrusted networks and encourage the use of VPNs when accessing sensitive applications. 5. Monitor for any unusual app behavior or data leakage indicators within enterprise mobile device management (MDM) systems. 6. Collaborate with KDDI CORPORATION or authorized vendors for timely security advisories and patches. 7. For organizations with custom integrations or APIs linked to the app, verify backend server certificate configurations and enforce strict TLS policies. 8. Conduct periodic security assessments of mobile applications used within the organization to detect similar vulnerabilities proactively.