CVE-2025-24145 in iOS
Summary
by MITRE • 01/28/2025
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.3, iOS 18.3 and iPadOS 18.3. An app may be able to view a contact's phone number in system logs.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/31/2025
The vulnerability identified as CVE-2025-24145 represents a privacy flaw in Apple's operating systems where sensitive contact information could be inadvertently exposed through system log entries. This issue specifically affects the redaction mechanisms that should strip private data from log outputs, demonstrating a failure in the system's data sanitization processes. The vulnerability was addressed through updates to macOS Sequoia 15.3, iOS 18.3, and iPadOS 18.3, indicating the severity of the privacy exposure that existed prior to these patches. The flaw allows malicious applications or compromised system components to potentially access contact phone numbers that should have been removed from log entries during the redaction process.
The technical implementation of this vulnerability stems from insufficient data redaction protocols within the system logging framework. When applications generate log entries containing contact information, the system should automatically remove or obfuscate sensitive fields such as phone numbers before storing or displaying these logs. However, the flaw in the redaction logic means that certain phone number formats or data structures were not properly sanitized, leaving them visible in system logs. This represents a failure in the principle of least privilege and data minimization, where only essential information should be retained in system logs rather than potentially sensitive personal data. The vulnerability aligns with CWE-200, which addresses improper exposure of sensitive information, and demonstrates weaknesses in data handling and sanitization processes.
The operational impact of this vulnerability extends beyond simple privacy concerns to potentially enable targeted attacks against individuals. If an attacker can access system logs through legitimate means or by exploiting other vulnerabilities, they could extract contact phone numbers from log entries, potentially enabling social engineering attacks, phishing campaigns, or coordinated harassment efforts. The exposure affects all applications running on the affected operating systems, making it a systemic issue rather than an isolated application flaw. This vulnerability particularly impacts users who rely on mobile devices for personal communication and whose contact information could be leveraged for various malicious activities. The issue creates a persistent threat vector since system logs are often retained for extended periods and may be accessible to various system components or authorized personnel.
The mitigation strategy for this vulnerability requires immediate deployment of the security updates provided by Apple in macOS Sequoia 15.3, iOS 18.3, and iPadOS 18.3. System administrators should prioritize patching across all affected devices to prevent potential exposure of contact information. Organizations should also conduct audits of their mobile device management policies to ensure that all endpoints are properly updated and monitored for compliance. Additional protective measures include implementing network monitoring to detect unusual access patterns to system logs and establishing procedures for regular log review to identify potential data exposure incidents. The fix addresses the root cause by improving the private data redaction mechanisms and implementing more robust sanitization of log entries. This aligns with ATT&CK technique T1562.001, which involves disabling or circumventing security tools, though in this case the issue is about inadequate security tool implementation rather than active circumvention. The vulnerability underscores the critical importance of proper data sanitization in system logging and highlights the need for continuous security testing of data handling processes to prevent similar privacy exposures in the future.