Description
This issue was addressed with improved authentication. This issue is fixed in iOS 18.4 and iPadOS 18.4. An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos.
Published: 2025-03-31
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to personal photos via USB‑C
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from an improper authorization check in iOS and iPadOS that allows an attacker who has a USB‑C connection to an unlocked device to programmatically access photos. This flaw is classified as CWE‑284, illustrating a weakness in access control that compromises confidentiality. While it does not provide broader system compromise, the attacker could retrieve any photo stored locally on the device.

Affected Systems

Apple iOS and iPadOS devices running versions prior to 18.4 are affected. The fix is provided in iOS 18.4 and iPadOS 18.4, so any device not updated to these releases remains at risk.

Risk and Exploitability

The CVSS score is 2.4, indicating low severity. The EPSS score is below 1%, reflecting a very low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation is limited to situations where an attacker has physical access to the device via USB‑C and the device is unlocked. Under these constraints, the risk is moderate but constrained to physical possession and unlocking the device.

Generated by OpenCVE AI on April 28, 2026 at 02:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to iOS 18.4 or iPadOS 18.4 to receive the hardened authentication fix.
  • Before connecting via USB‑C, lock the device to prevent unauthorized programmatic access.
  • If using a mobile device management solution, disable or restrict USB file transfer unless the device is in a trusted state.

Generated by OpenCVE AI on April 28, 2026 at 02:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8993 This issue was addressed with improved authentication. This issue is fixed in iOS 18.4 and iPadOS 18.4. An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos.
History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Limited Access to Photos via USB‑C on Unlocked Devices in iOS/iPadOS

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved authentication. This issue is fixed in iOS 18.4 and iPadOS 18.4. An attacker with a USB-C connection to an unlocked device may be able to programmatically access photos.
References

Subscriptions

Apple Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:24:10.377Z

Reserved: 2025-01-17T00:00:44.997Z

Link: CVE-2025-24193

cve-icon Vulnrichment

Updated: 2025-11-03T21:07:06.740Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:17.703

Modified: 2025-11-03T21:19:32.310

Link: CVE-2025-24193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:45:11Z

Weaknesses