Description
This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6. Photos in the Hidden Photos Album may be viewed without authentication.
Published: 2025-03-31
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated access to private photos
Action: Update OS
AI Analysis

Impact

An authentication bypass flaw in the Hidden Photos Album allows a user to view photos stored there without proper verification. The weakness stems from inadequate state management in the Photos app, enabling reference to the hidden photo container regardless of user authentication. This could expose sensitive images, compromising confidentiality for the device owner.

Affected Systems

The vulnerability affects Apple’s iOS and iPadOS platforms. The flaw exists in iOS versions prior to 18.4 and iPadOS versions prior to 18.4 or 17.7.6. Devices running these versions and using the Hidden Photos Album are susceptible.

Risk and Exploitability

The CVSS score is 5.4, reflecting a moderate impact. The EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalogue, suggesting no publicly known active exploitation yet. Attackers would likely need local access to the device but could leverage the Hidden Photos Album feature without requiring user credentials, implying a local privilege escalation path.

Generated by OpenCVE AI on April 28, 2026 at 03:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest iOS 18.4 or iPadOS 18.4/17.7.6 update
  • If immediate update is not feasible, temporarily disable the Hidden Photos Album feature or remove sensitive images
  • Ensure all devices enforce strong user authentication before accessing photo libraries

Generated by OpenCVE AI on April 28, 2026 at 03:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8925 This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6. Photos in the Hidden Photos Album may be viewed without authentication.
History

Tue, 28 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Title Hidden Photos Album Unauthorized Access in iOS and iPadOS

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os

Thu, 03 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-305
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6. Photos in the Hidden Photos Album may be viewed without authentication.
References

Subscriptions

Apple Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:08:59.617Z

Reserved: 2025-03-22T00:04:43.716Z

Link: CVE-2025-30428

cve-icon Vulnrichment

Updated: 2025-04-02T14:16:58.258Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:25.133

Modified: 2025-11-03T22:18:44.583

Link: CVE-2025-30428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:30:19Z

Weaknesses