Description
The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user’s current location.
Published: 2025-01-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Location
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from inadequate checks within Apple’s operating system, allowing applications to determine a user’s current location without going through the standard permission workflow. This flaw can lead to privacy violations by exposing sensitive location information. The weakness is characterized as CWE‑200, which describes information disclosure vulnerabilities.

Affected Systems

Apple’s iPadOS and macOS products are affected. The defect is fixed in iPadOS 17.7.4 and in macOS releases Sequoia 15.3, Sonoma 14.7.3, and Ventura 13.7.3. Users running earlier versions of these operating systems remain vulnerable.

Risk and Exploitability

The CVSS score of 9.8 underscores a high severity issue. The EPSS value of less than 1% suggests that exploitation is currently low probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would typically involve a malicious app installed on the device; such an app could bypass normal location permission checks and read the user’s precise position. Because the weakness is client‑side, the attack surface is limited to applications already present on the device.

Generated by OpenCVE AI on April 28, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apple software update that includes iPadOS 17.7.4 or later and macOS Sequoia 15.3, Sonoma 14.7.3, and Ventura 13.7.3 or newer.
  • Review the location permissions granted to each app in Settings and restrict access to only trusted applications.
  • Uninstall or remove applications that request location data unnecessarily and that are not from trusted sources.

Generated by OpenCVE AI on April 28, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3617 The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user’s current location.
History

Tue, 28 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Title Location Disclosure via Improper Permission Checks

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple macos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple macos

Wed, 19 Mar 2025 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 28 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 22:00:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user’s current location.
References

Subscriptions

Apple Ipados Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:16:56.599Z

Reserved: 2025-01-17T00:00:44.968Z

Link: CVE-2025-24102

cve-icon Vulnrichment

Updated: 2025-01-28T14:57:12.925Z

cve-icon NVD

Status : Modified

Published: 2025-01-27T22:15:15.807

Modified: 2025-11-03T21:19:17.357

Link: CVE-2025-24102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:00:05Z

Weaknesses