CVE-2025-43428

Critical

Published: 17 December 2025

Published

17 December 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in the Hidden Photos Album may be viewed without authentication.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly prohibits unauthorized viewing of sensitive Hidden Photos Album content without identification and authentication.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent network-accessible unauthorized access to protected photos in the Hidden Album.

CM-6 Configuration Settings good match

prevent

Mandates secure configuration settings with authentication restrictions for sensitive features like the Hidden Photos Album.

Security SummaryAI

CVE-2025-43428 is a configuration issue (CWE-306: Missing Authentication for Critical Function) in Apple's Hidden Photos Album feature, allowing photos stored there to be viewed without authentication. The vulnerability affects iOS and iPadOS versions prior to 26.2, macOS Tahoe prior to 26.2, and visionOS prior to 26.2. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of requirements for privileges or user interaction.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation enables unauthorized viewing of sensitive photos in the Hidden Photos Album, potentially compromising high levels of confidentiality, integrity, and availability as scored by CVSS.

Apple's security advisories detail that the issue was addressed by adding additional restrictions, with fixes available in iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, and visionOS 26.2. Relevant updates are documented at https://support.apple.com/en-us/125884, https://support.apple.com/en-us/125886, and https://support.apple.com/en-us/125891.

Details

CWE(s): CWE-306

Affected Products

apple

ipados

≤ 26.2

apple

iphone os

≤ 26.2

apple

macos

≤ 26.2

apple

visionos

≤ 26.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

CVE enables remote unauthenticated access to sensitive local photos via a configuration issue in network-accessible OS components, directly facilitating T1190 (exploit public-facing application) and T1005 (data from local system).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://support.apple.com/en-us/125884
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/125886
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/125891
Release Notes, Vendor Advisory · product-security@apple.com