CVE-2025-24221

CVE-2025-24221 is a vulnerability in Apple's iOS, iPadOS, and visionOS operating systems that allows sensitive keychain data to be accessible from an iOS backup due to insufficient data access restrictions (CWE-863: Incorrect Authorization). The issue affects versions prior to iOS 18.4, iPadOS 18.4 and 17.7.6, and visionOS 2.4, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from a network-accessible attack requiring no privileges or user interaction.

An attacker with access to an iOS backup file—such as those created via iTunes or Finder—can exploit this vulnerability to read sensitive keychain data, including credentials and other protected information stored in the keychain. No authentication or privileges are required on the target device, and the attack can be performed remotely if the backup is obtainable over a network, such as from an unencrypted or compromised backup storage location.

Apple's security advisories detail that the vulnerability was addressed by improving data access restrictions in the fixed releases: iOS 18.4, iPadOS 18.4 and 17.7.6, and visionOS 2.4. Security practitioners should ensure devices are updated to these versions and advise users to encrypt backups and store them securely to mitigate risks from backup exposure. Additional details are available in Apple's support documents at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122372, and https://support.apple.com/en-us/122378, along with full disclosure archives.