{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24193", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-01-17T00:00:44.997Z", "datePublished": "2025-03-31T22:24:03.607Z", "dateUpdated": "2026-04-02T18:24:10.377Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos"}]}], "affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "18.4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "This issue was addressed with improved authentication. This issue is fixed in iOS 18.4 and iPadOS 18.4. An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos."}], "references": [{"url": "https://support.apple.com/en-us/122371"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:24:10.377Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T15:59:27.308700Z", "id": "CVE-2025-24193", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T16:01:01.647Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Apr/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:07:06.740Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Apr/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:07:06.740Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24193", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-01T15:59:27.308700Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T15:59:56.258Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "18.4", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122371"}], "descriptions": [{"lang": "en", "value": "This issue was addressed with improved authentication. This issue is fixed in iOS 18.4 and iPadOS 18.4. An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-03-31T22:24:03.607Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24193", "state": "PUBLISHED", "dateUpdated": "2025-11-03T21:07:06.740Z", "dateReserved": "2025-01-17T00:00:44.997Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-03-31T22:24:03.607Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B3450F7-7B4A-46CE-A6E0-BBE6569F2EBF", "versionEndExcluding": "18.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D9C73F9-FEF4-4FC1-B83D-56566AD35990", "versionEndExcluding": "18.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This issue was addressed with improved authentication. This issue is fixed in iOS 18.4 and iPadOS 18.4. An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos."}, {"lang": "es", "value": "Este problema se solucion\u00f3 mejorando la autenticaci\u00f3n. Este problema se solucion\u00f3 en iOS 18.4 y iPadOS 18.4. Un atacante con una conexi\u00f3n USB-C a un dispositivo desbloqueado podr\u00eda acceder a las fotos mediante programaci\u00f3n."}], "id": "CVE-2025-24193", "lastModified": "2025-11-03T21:19:32.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-31T23:15:17.703", "references": [{"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/122371"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Apr/4"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T02:31:21.911757+00:00", "value": {"mitigation_remediation": ["Upgrade the device to iOS 18.4 or iPadOS 18.4 to receive the hardened authentication fix.", "Before connecting via USB\u2011C, lock the device to prevent unauthorized programmatic access.", "If using a mobile device management solution, disable or restrict USB file transfer unless the device is in a trusted state."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to personal photos via USB\u2011C"}, "threat_synthesis": {"affected_systems": "Apple iOS and iPadOS devices running versions prior to 18.4 are affected. The fix is provided in iOS 18.4 and iPadOS 18.4, so any device not updated to these releases remains at risk.", "description_and_impact": "The vulnerability arises from an improper authorization check in iOS and iPadOS that allows an attacker who has a USB\u2011C connection to an unlocked device to programmatically access photos. This flaw is classified as CWE\u2011284, illustrating a weakness in access control that compromises confidentiality. While it does not provide broader system compromise, the attacker could retrieve any photo stored locally on the device.", "risk_and_exploitability": "The CVSS score is 2.4, indicating low severity. The EPSS score is below 1%, reflecting a very low likelihood of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation is limited to situations where an attacker has physical access to the device via USB\u2011C and the device is unlocked. Under these constraints, the risk is moderate but constrained to physical possession and unlocking the device."}}}}, "created": "2026-04-28T02:45:11.079439+00:00", "title": "Limited Access to Photos via USB\u2011C on Unlocked Devices in iOS/iPadOS", "updated": "2026-04-28T02:45:11.079463+00:00", "vendors": []}