CVE-2025-24095

CVE-2025-24095 is a vulnerability that allows an app to bypass Privacy preferences due to insufficient entitlement checks, classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). It affects iOS versions prior to 18.4, iPadOS versions prior to 18.4, and visionOS versions prior to 2.4. The issue has a CVSS v3.1 base score of 7.6 (High), reflecting network accessibility, low attack complexity, low privileges required, user interaction needed, unchanged scope, high impact on confidentiality and integrity, and low impact on availability.

Exploitation requires an attacker with low privileges, such as a malicious app installed on the device, and user interaction, potentially during app installation or usage. A successful attack enables the app to circumvent Privacy preferences, resulting in high confidentiality and integrity impacts by accessing or modifying sensitive user data without authorization, alongside limited availability disruption.

Apple's security advisories confirm the issue was addressed through additional entitlement checks in iOS 18.4, iPadOS 18.4, and visionOS 2.4. Relevant details are available in Apple support documents at https://support.apple.com/en-us/122371 and https://support.apple.com/en-us/122378, with further disclosures on seclists.org at http://seclists.org/fulldisclosure/2025/Apr/12 and http://seclists.org/fulldisclosure/2025/Apr/4. Security practitioners should prioritize updating affected devices to mitigate this bypass risk.