Description
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.9. An app may be able to read a persistent device identifier.
Published: 2025-05-12
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to persistent device identifier
Action: Immediate Patch
AI Analysis

Impact

A permissions flaw allows an application to read a persistent device identifier previously protected by stricter device‑level restrictions. The vulnerability does not enable arbitrary code execution or privilege escalation but exposes a unique device identifier that could be used for tracking, profiling, or linking user activity across services. The weakness is a classic information disclosure flaw identified as CWE‑200.

Affected Systems

The flaw affects Apple’s mobile operating systems, specifically iOS and iPadOS. Versions prior to iOS 18.4, iPadOS 18.4, and the older iPadOS 17.7.9 are vulnerable. Devices running the affected releases must be updated to the stated patched versions to eliminate the issue.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests that real‑world exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. It can be exploited by any application on the device that gains authorization to read device identifiers, meaning the threat vector is local, arising from any installed app. Because the flaw does not require additional conditions such as network access or user interaction beyond normal permission usage, it is relatively easy for an attacker who controls an app to read the identifier.

Generated by OpenCVE AI on April 28, 2026 at 11:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to iOS 18.4 or later, iPadOS 18.4 or later, or iPadOS 17.7.9 or later to apply the vendor patch
  • Review the list of installed applications and disable or remove any that request device‑identifier access but are unnecessary
  • Apply the principle of least privilege to app permissions by limiting access to device identifiers to only those apps explicitly authorized for such data

Generated by OpenCVE AI on April 28, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14861 A permissions issue was addressed with additional restrictions. This issue is fixed in iPadOS 17.7.7, iOS 18.4 and iPadOS 18.4. An app may be able to read a persistent device identifier.
History

Tue, 28 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Title Permissions Flaw Exposes Persistent Device Identifier in iOS and iPadOS

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4. An app may be able to read a persistent device identifier. A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.9. An app may be able to read a persistent device identifier.
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 27 May 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os

Tue, 20 May 2025 17:45:00 +0000

Type Values Removed Values Added
References

Tue, 20 May 2025 16:30:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in iPadOS 17.7.7, iOS 18.4 and iPadOS 18.4. An app may be able to read a persistent device identifier. A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4. An app may be able to read a persistent device identifier.

Wed, 14 May 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 May 2025 21:45:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in iPadOS 17.7.7, iOS 18.4 and iPadOS 18.4. An app may be able to read a persistent device identifier.
References

Subscriptions

Apple Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:07:39.622Z

Reserved: 2025-01-17T00:00:45.003Z

Link: CVE-2025-24220

cve-icon Vulnrichment

Updated: 2025-05-14T13:36:56.072Z

cve-icon NVD

Status : Modified

Published: 2025-05-12T22:15:19.993

Modified: 2026-04-02T19:19:21.333

Link: CVE-2025-24220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:30:29Z

Weaknesses