CVE-2025-24221
Published: 31 March 2025
Summary
CVE-2025-24221 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Apple Ipados. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Keychain (T1555.001); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-28 (Protection of Information at Rest).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces improved data access restrictions on sensitive keychain data within iOS backups, addressing the core incorrect authorization vulnerability (CWE-863).
Protects sensitive keychain data at rest in backups through encryption or other mechanisms, preventing unauthorized access if backups are obtained by attackers.
Implements secure backup processes that restrict access to and protect confidentiality of sensitive information like keychain data in iOS backups.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly exposes sensitive keychain data (including credentials) in iOS backups due to insufficient access restrictions, enabling adversaries to acquire credentials from the keychain by accessing the backup file.
NVD Description
This issue was addressed with improved data access restriction. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, visionOS 2.4. Sensitive keychain data may be accessible from an iOS backup.
Deeper analysisAI
CVE-2025-24221 is a vulnerability in Apple's iOS, iPadOS, and visionOS operating systems that allows sensitive keychain data to be accessible from an iOS backup due to insufficient data access restrictions (CWE-863: Incorrect Authorization). The issue affects versions prior to iOS 18.4, iPadOS 18.4 and 17.7.6, and visionOS 2.4, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from a network-accessible attack requiring no privileges or user interaction.
An attacker with access to an iOS backup file—such as those created via iTunes or Finder—can exploit this vulnerability to read sensitive keychain data, including credentials and other protected information stored in the keychain. No authentication or privileges are required on the target device, and the attack can be performed remotely if the backup is obtainable over a network, such as from an unencrypted or compromised backup storage location.
Apple's security advisories detail that the vulnerability was addressed by improving data access restrictions in the fixed releases: iOS 18.4, iPadOS 18.4 and 17.7.6, and visionOS 2.4. Security practitioners should ensure devices are updated to these versions and advise users to encrypt backups and store them securely to mitigate risks from backup exposure. Additional details are available in Apple's support documents at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122372, and https://support.apple.com/en-us/122378, along with full disclosure archives.
Details
- CWE(s)