Description
An app could impersonate system notifications. Sensitive notifications now require restricted entitlements. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.3. An app may be able to cause a denial-of-service.
Published: 2025-04-30
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An application can masquerade as system alerts, potentially misleading users by displaying forged notifications. The flaw stems from an improper entitlement check, which is a form of weak authentication (CWE‑290). When exploited, an attacker might cause a denial‑of‑service by disrupting or hijacking notification delivery mechanisms.

Affected Systems

The vulnerability affects devices running Apple iOS and iPadOS. Systems prior to iOS 18.3 and iPadOS 18.3 (or iPadOS 17.7.3 for iPadOS‑only devices) are susceptible, whereas updated releases contain the fix.

Risk and Exploitability

The CVSS v3.1 score of 5.5 indicates moderate impact, and the EPSS score of less than 1% suggests low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Given that the flaw requires an application with restricted entitlements and operates within the device’s local environment, the most likely attack vector is a local, user‑initiated installation of a malicious app.

Generated by OpenCVE AI on April 28, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest supported operating system: iOS 18.3 or newer, or iPadOS 18.3 or 17.7.3.
  • Remove or prevent installation of applications that request notification‑related entitlements without the latest OS update.
  • Continuously monitor for unexpected system‑level notification activity and apply subsequent security updates as released.

Generated by OpenCVE AI on April 28, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12763 An app could impersonate system notifications. Sensitive notifications now require restricted entitlements. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.3. An app may be able to cause a denial-of-service.
History

Tue, 28 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
Title App Can Impersonate System Notifications and Cause Denial of Service

Mon, 12 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os

Wed, 30 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 30 Apr 2025 17:30:00 +0000

Type Values Removed Values Added
Description An app could impersonate system notifications. Sensitive notifications now require restricted entitlements. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.3. An app may be able to cause a denial-of-service.
References

Subscriptions

Apple Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:17:46.578Z

Reserved: 2025-01-17T00:00:44.966Z

Link: CVE-2025-24091

cve-icon Vulnrichment

Updated: 2025-04-30T20:02:03.668Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-30T18:15:39.203

Modified: 2025-05-12T19:43:23.130

Link: CVE-2025-24091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:15:18Z

Weaknesses