Description
An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked.
Published: 2025-01-27
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential local disclosure of Photos while app is locked
Action: Update OS
AI Analysis

Impact

An authentication flaw in iOS and iPadOS was corrected by improving state management. Devices that had not yet applied the 18.3 update could allow an attacker who has physical access to a device in an unlocked state to view or retrieve content from the Photos app even when that app is locked. The flaw does not enable remote code execution or system compromise beyond the limited exposure of personal images and may be immediately exploitable by anyone with the device in hand.

Affected Systems

Apple iOS and Apple iPadOS versions prior to iOS 18.3 and iPadOS 18.3 are affected.

Risk and Exploitability

The CVSS score of 3.3 denotes a low‑severity vulnerability, and the EPSS score of less than 1 percent indicates that the probability of exploitation is very small. Because the attack requires the device to be physically accessible and already unlocked, the risk is limited to situations where the user leaves the device unattended. The vulnerability is not listed in the CISA KEV catalog and no widespread exploitation has been reported.

Generated by OpenCVE AI on April 28, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the iOS 18.3 or iPadOS 18.3 update to install the state‑management fix
  • Configure the device to require a passcode, Face ID, or Touch ID immediately after the screen locks, preventing unauthorized users from accessing the device when it is not actively in use
  • When leaving a device unattended, lock it manually or use the automatic lock feature to ensure it is not left in an unlocked state
  • Ensure that the Photos app enforces proper authorization (CWE‑863) by verifying the user’s identity before granting access to private photo data

Generated by OpenCVE AI on April 28, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3649 An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked.
History

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 04 Feb 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Jan 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 27 Jan 2025 22:00:00 +0000

Type Values Removed Values Added
Description An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked.
References

Subscriptions

Apple Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:21:29.555Z

Reserved: 2025-01-17T00:00:44.975Z

Link: CVE-2025-24141

cve-icon Vulnrichment

Updated: 2025-11-03T21:03:44.932Z

cve-icon NVD

Status : Modified

Published: 2025-01-27T22:15:18.800

Modified: 2025-11-03T21:19:26.770

Link: CVE-2025-24141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:15:30Z

Weaknesses