Description
An authentication issue was addressed with improved state management. This issue is fixed in watchOS 26.1. An attacker with physical access to a locked Apple Watch may be able to view Live Voicemail.
Published: 2025-11-04
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to Live Voicemail
Action: Immediate Patch
AI Analysis

Impact

An authentication flaw in watchOS state management can allow an attacker with physical possession of a locked Apple Watch to read Live Voicemail. The vulnerability permits exploitation without compromising the passcode, violating the user's privacy and confidentiality by exposing voicemail content.

Affected Systems

Apple WatchOS devices running versions prior to 26.1 are impacted. The fix was applied in watchOS 26.1, so any watchOS version earlier than 26.1 remains vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, and the EPSS score of <1% suggests a very low likelihood of exploitation. Because the issue requires physical access to a locked device, its practical risk is limited to situations where an adversary can obtain the device. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Apple Watch to watchOS 26.1 or later
  • Ensure the device is protected with a secure passcode and not left unattended
  • Limit physical access to the device by keeping it in a secured area

Generated by OpenCVE AI on April 22, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/125639 cve-icon cve-icon
History

Wed, 22 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Title Physical Access Authentication Bypass Allows Access to Live Voicemail on Apple Watch

Tue, 04 Nov 2025 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple watchos
Vendors & Products Apple
Apple watchos

Tue, 04 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description An authentication issue was addressed with improved state management. This issue is fixed in watchOS 26.1. An attacker with physical access to a locked Apple Watch may be able to view Live Voicemail.
References

Subscriptions

Apple Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:15:14.668Z

Reserved: 2025-04-16T15:24:37.126Z

Link: CVE-2025-43459

cve-icon Vulnrichment

Updated: 2025-11-04T13:20:42.663Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-04T02:15:51.313

Modified: 2026-06-17T09:24:03.330

Link: CVE-2025-43459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:45:06Z

Weaknesses