Description
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission.
Published: 2025-11-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Keylogging / Privacy Leak
Action: Patch
AI Analysis

Impact

The vulnerability allows an application running on Apple iOS or iPadOS to capture user keystrokes without the user’s explicit permission. By exploiting this flaw, a malicious or untrusted app could silently log typed data, potentially compromising sensitive personal information such as passwords, credit card numbers, or private messages. This is a privacy breach affecting confidentiality and may lead to identity theft or other malicious exploitation. It is classified as a data disclosure and authorization weakness (CWE‑200 and CWE‑284).

Affected Systems

Apple iOS and iPadOS devices are affected. The flaw exists in all versions prior to iOS 18.7.2, iOS 26.1, iPadOS 18.7.2, and iPadOS 26.1. Devices running these earlier releases can be targeted until they receive the correction.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact. The EPSS score is below 1 %, suggesting that exploitation is currently unlikely. Apple has not classified this vulnerability as a known exploited vulnerability in CISA KEV. The likely attack vector is local, requiring the installation or execution of a malicious app on the device. Once the app is active, it could monitor keyboard input across other apps, bypassing the standard permission model. Because of the low EPSS and the need for local deployment, the overall risk is moderate, but remediation through updating the operating system is recommended.

Generated by OpenCVE AI on April 22, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to iOS 18.7.2 or later, or to iOS 26.1 or later on compatible devices; likewise upgrade to iPadOS 18.7.2 or later, or 26.1 or later.
  • Disable or uninstall any third‑party keyboard extensions or accessibility services that could capture input.
  • Review the device’s app privacy settings, ensuring that only trusted applications have access to keyboard data, and periodically check the App Privacy Report for unusual data collection.

Generated by OpenCVE AI on April 22, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Title Unauthorized Keylogging via App Without User Permission

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to monitor keystrokes without user permission. The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission.
References

Wed, 05 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 05 Nov 2025 18:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission. The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to monitor keystrokes without user permission.
References

Tue, 04 Nov 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipad Os
Vendors & Products Apple
Apple ios
Apple ipad Os

Tue, 04 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission.
References

Subscriptions

Apple Ios Ipad Os Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:18:48.165Z

Reserved: 2025-04-16T15:27:21.191Z

Link: CVE-2025-43495

cve-icon Vulnrichment

Updated: 2025-11-04T15:28:40.524Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:52.687

Modified: 2025-12-17T21:16:08.303

Link: CVE-2025-43495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:45:06Z

Weaknesses