{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24141", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-01-17T00:00:44.975Z", "datePublished": "2025-01-27T21:46:22.315Z", "dateUpdated": "2026-04-02T18:21:29.555Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An attacker with physical access to an unlocked device may be able to access Photos while the app is locked"}]}], "affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "18.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked."}], "references": [{"url": "https://support.apple.com/en-us/122066"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:21:29.555Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-863", "lang": "en", "description": "CWE-863 Incorrect Authorization"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-28T16:15:51.415907Z", "id": "CVE-2025-24141", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T21:34:52.627Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Jan/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:03:44.932Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Jan/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:03:44.932Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-28T16:15:51.415907Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T16:15:46.545Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "18.3", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122066"}], "descriptions": [{"lang": "en", "value": "An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An attacker with physical access to an unlocked device may be able to access Photos while the app is locked"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-01-27T21:46:22.315Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24141", "state": "PUBLISHED", "dateUpdated": "2025-11-03T21:03:44.932Z", "dateReserved": "2025-01-17T00:00:44.975Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-01-27T21:46:22.315Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B7F80FC-EB0A-4B78-8CB7-18E5F162CD6A", "versionEndExcluding": "18.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "71A94ACA-8143-475F-8A89-8020B86CE80B", "versionEndExcluding": "18.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked."}, {"lang": "es", "value": "Se solucion\u00f3 un problema de autenticaci\u00f3n con con una mejor gesti\u00f3n del estado. Este problema se solucion\u00f3 en iOS 18.3 y iPadOS 18.3. Un atacante con acceso f\u00edsico a un dispositivo desbloqueado podr\u00eda acceder a Fotos mientras la aplicaci\u00f3n est\u00e1 bloqueada."}], "id": "CVE-2025-24141", "lastModified": "2025-11-03T21:19:26.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-27T22:15:18.800", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes"], "url": "https://support.apple.com/en-us/122066"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/13"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T12:07:54.734606+00:00", "value": {"mitigation_remediation": ["Apply the iOS 18.3 or iPadOS 18.3 update to install the state\u2011management fix", "Configure the device to require a passcode, Face ID, or Touch ID immediately after the screen locks, preventing unauthorized users from accessing the device when it is not actively in use", "When leaving a device unattended, lock it manually or use the automatic lock feature to ensure it is not left in an unlocked state", "Ensure that the Photos app enforces proper authorization (CWE\u2011863) by verifying the user\u2019s identity before granting access to private photo data"], "summary": {"action": "Update OS", "impact": "Potential local disclosure of Photos while app is locked"}, "threat_synthesis": {"affected_systems": "Apple iOS and Apple iPadOS versions prior to iOS 18.3 and iPadOS 18.3 are affected.", "description_and_impact": "An authentication flaw in iOS and iPadOS was corrected by improving state management. Devices that had not yet applied the 18.3 update could allow an attacker who has physical access to a device in an unlocked state to view or retrieve content from the Photos app even when that app is locked. The flaw does not enable remote code execution or system compromise beyond the limited exposure of personal images and may be immediately exploitable by anyone with the device in hand.", "risk_and_exploitability": "The CVSS score of 3.3 denotes a low\u2011severity vulnerability, and the EPSS score of less than 1 percent indicates that the probability of exploitation is very small. Because the attack requires the device to be physically accessible and already unlocked, the risk is limited to situations where the user leaves the device unattended. The vulnerability is not listed in the CISA KEV catalog and no widespread exploitation has been reported."}}}}, "created": "2026-04-28T12:15:30.890568+00:00", "updated": "2026-04-28T12:15:30.890578+00:00", "vendors": []}