Cyber Posture

CVE-2025-43347

Critical

Published: 15 September 2025

Published
15 September 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 37.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43347 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apple Ipados. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the input validation issue (CWE-20) by requiring comprehensive validation of inputs at critical points to block exploitation in vulnerable Apple OS code.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and patching of the critical flaw fixed by code removal in Apple OS version 26 updates.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning identifies the presence of CVE-2025-43347 in affected Apple operating systems prior to version 26, enabling targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Input validation flaw (CWE-20) permits unauthenticated remote network exploitation with no user interaction, directly enabling T1190 for initial access and full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. An input validation issue was addressed.

Deeper analysisAI

CVE-2025-43347 is an input validation issue (CWE-20) affecting multiple Apple operating systems prior to their version 26 updates. The vulnerability was addressed by removing the vulnerable code and is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, and watchOS 26. It carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network with low complexity. Successful exploitation could allow the attacker to achieve high-level compromise, including unauthorized access to sensitive data, modification of system integrity, and disruption of availability.

Apple security advisories, detailed in support documents such as https://support.apple.com/en-us/125108 and related pages, confirm the fix through code removal in the specified version 26 updates. Security practitioners should prioritize updating affected devices to these patched versions to mitigate the risk.

Details

CWE(s)
CWE-20

Affected Products

apple
ipados
≤ 26.0
apple
iphone os
≤ 26.0
apple
macos
≤ 26.0
apple
tvos
≤ 26.0
apple
visionos
≤ 26.0
apple
watchos
≤ 26.0

CVEs Like This One

CVE-2025-43234Same product: Apple Ipados
CVE-2025-43359Same product: Apple Ipados
CVE-2025-31281Same product: Apple Ipados
CVE-2025-30471Same product: Apple Ipados
CVE-2025-24237Same product: Apple Ipados
CVE-2025-31255Same product: Apple Ipados
CVE-2026-28894Same product: Apple Ipados
CVE-2024-54499Same product: Apple Ipados
CVE-2025-43510Same product: Apple Ipados
CVE-2025-24137Same product: Apple Ipados

References