CVE-2025-30426
Published: 31 March 2025
Summary
CVE-2025-30426 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apple Ipados. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Software Discovery (T1518); ranked in the top 41.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the missing entitlement checks by enforcing approved authorizations, preventing apps from accessing lists of other installed apps.
Applies least privilege to restrict apps from enumerating other installed apps unless explicitly required for their function.
Enforces organizational policies on user-installed software to block or sandbox malicious apps capable of exploiting the enumeration vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables enumeration of installed applications by a malicious app, mapping to Software Discovery (T1518) for reconnaissance of victim host software.
NVD Description
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. An app may be able to enumerate a user's installed apps.
Deeper analysisAI
CVE-2025-30426 is a vulnerability in Apple operating systems that allows an installed app to enumerate a user's other installed apps due to missing entitlement checks. Affected platforms include iOS versions prior to 18.4, iPadOS versions prior to 18.4 and 17.7.6, macOS Sequoia versions prior to 15.4, tvOS versions prior to 18.4, visionOS versions prior to 2.4, and watchOS versions prior to 11.4. Published on 2025-03-31, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
An attacker requires no privileges and can exploit this remotely over the network with low attack complexity and no user interaction. By distributing a malicious app that a user installs, the attacker can enumerate the full list of apps on the device, enabling potential reconnaissance of the user's installed software, preferences, and behavior.
Apple addressed the vulnerability through additional entitlement checks, with fixes released in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, and watchOS 11.4. Security advisories detail these updates on Apple's support pages, including https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122372, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, and https://support.apple.com/en-us/122377. Practitioners should prioritize patching affected devices to these versions.
Details
- CWE(s)