Description
An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information.
Published: 2025-07-10
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure through authentication state failure on an unlocked device
Action: Apply patch
AI Analysis

Impact

An authentication flaw in App Store Connect, fixed in version 3.0, allows an attacker who gains physical access to a device that is already unlocked to view sensitive user information by exploiting improper state management of authenticated sessions.

Affected Systems

Apple App Store Connect. Any version prior to 3.0 is vulnerable; the fix is delivered in App Store Connect 3.0 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.6, indicating moderate risk. The EPSS score is below 1 %, meaning exploitation is expected to be rare, and the issue is not listed in the CISA KEV catalog. The likely attack path requires physical access to an unlocked device, after which an attacker can read protected data that should otherwise be shielded by authentication state checks.

Generated by OpenCVE AI on April 28, 2026 at 01:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade App Store Connect to version 3.0 or later to receive the authentication state management fix.
  • Ensure that devices are locked and physically secured when not in use to prevent unauthorized access to authenticated sessions.
  • Enforce device management policies that automatically lock screens and restrict physical access to authorized personnel only.

Generated by OpenCVE AI on April 28, 2026 at 01:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21072 An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information.
References
Link Providers
https://support.apple.com/en-us/123356 cve-icon cve-icon
History

Tue, 28 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Authentication State Mismanagement Allows Physical Access to Sensitive User Information on App Store Connect

Tue, 29 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple app Store Connect
CPEs cpe:2.3:a:apple:app_store_connect:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple app Store Connect

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00026}

 epss

{'score': 0.00023}

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00026}

Thu, 10 Jul 2025 22:30:00 +0000

Type Values Removed Values Added
Description An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information.
References

Subscriptions

Apple App Store Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:20:43.047Z

Reserved: 2025-03-27T16:13:58.341Z

Link: CVE-2025-31267

cve-icon Vulnrichment

Updated: 2025-07-15T13:44:55.984Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-10T23:15:27.800

Modified: 2025-07-29T18:08:30.433

Link: CVE-2025-31267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:15:15Z

Weaknesses