Description
This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. Password autofill may fill in passwords after failing authentication.
Published: 2025-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass via password autofill after failed login
Action: Apply patches
AI Analysis

Impact

This vulnerability permits an attacker to trigger the system's password autofill even after unauthenticated or failed login attempts, enabling the retrieval of stored credentials. The weakness arises from improper state management during authentication and is classified as CWE‑287. The potential impact is exposure of usernames and passwords, compromising confidentiality and allowing subsequent unauthorized access.

Affected Systems

Affected vendors include Apple, with products iOS, iPadOS, macOS, visionOS, and watchOS. Versions earlier than iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, and watchOS 11.4 are vulnerable. The issue is fixed in these publicly released versions.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. EPSS below 1 % suggests low exploitation probability, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to initiate a login attempt on the device; the attacker can then observe that the password field is auto‑filled with the target’s credentials, enabling credential theft. The attack vector is likely local, inferred from the description.

Generated by OpenCVE AI on April 28, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, or watchOS 11.4, whichever applies; the update contains the official fix.
  • If an update is not immediately available, temporarily disable the password autofill feature to prevent unintended credential disclosure.
  • Configure device lock policies and enable multi‑factor authentication to reduce the impact of any credential theft.

Generated by OpenCVE AI on April 28, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8922 This issue was addressed through improved state management. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Password autofill may fill in passwords after failing authentication.
History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Authentication bypass allowing password autofill after failed login

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Password autofill may fill in passwords after failing authentication. This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. Password autofill may fill in passwords after failing authentication.
References

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple visionos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple visionos

Tue, 01 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Password autofill may fill in passwords after failing authentication.
References

Subscriptions

Apple Ipados Iphone Os Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:22:39.317Z

Reserved: 2025-03-22T00:04:43.716Z

Link: CVE-2025-30430

cve-icon Vulnrichment

Updated: 2025-04-01T19:38:55.359Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:25.313

Modified: 2026-04-02T19:19:35.300

Link: CVE-2025-30430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:45:11Z

Weaknesses