CVE-2025-43428
Published: 17 December 2025
Summary
CVE-2025-43428 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Apple Ipados. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits unauthorized viewing of sensitive Hidden Photos Album content without identification and authentication.
Enforces approved authorizations to prevent network-accessible unauthorized access to protected photos in the Hidden Album.
Mandates secure configuration settings with authentication restrictions for sensitive features like the Hidden Photos Album.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated access to sensitive local photos via a configuration issue in network-accessible OS components, directly facilitating T1190 (exploit public-facing application) and T1005 (data from local system).
NVD Description
A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in the Hidden Photos Album may be viewed without authentication.
Deeper analysisAI
CVE-2025-43428 is a configuration issue (CWE-306: Missing Authentication for Critical Function) in Apple's Hidden Photos Album feature, allowing photos stored there to be viewed without authentication. The vulnerability affects iOS and iPadOS versions prior to 26.2, macOS Tahoe prior to 26.2, and visionOS prior to 26.2. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of requirements for privileges or user interaction.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation enables unauthorized viewing of sensitive photos in the Hidden Photos Album, potentially compromising high levels of confidentiality, integrity, and availability as scored by CVSS.
Apple's security advisories detail that the issue was addressed by adding additional restrictions, with fixes available in iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, and visionOS 26.2. Relevant updates are documented at https://support.apple.com/en-us/125884, https://support.apple.com/en-us/125886, and https://support.apple.com/en-us/125891.
Details
- CWE(s)