Apple iOS/iPadOS up to 18.6 information disclosure

Summaryinfo

A vulnerability, which was classified as problematic, has been found in Apple iOS and iPadOS. This issue affects some unknown processing. The manipulation leads to information disclosure. This vulnerability is referenced as CVE-2025-43190. The attack can only be performed from a local environment. No exploit is available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in Apple iOS and iPadOS and classified as problematic. This issue affects an unknown functionality. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sonoma 14.8, macOS Sequoia 15.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. An app may be able to access sensitive user data.

The advisory is shared at support.apple.com. The identification of this vulnerability is CVE-2025-43190 since 04/16/2025. The exploitation is known to be easy. An attack has to be approached locally. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 09/25/2025). MITRE ATT&CK project uses the attack technique T1592 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 265371 (macOS 26.x < 26.0 Multiple Vulnerabilities (125110)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 26.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (265371). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Smartphone Operating System

Vendor

• Apple

Name

• iOS
• iPadOS

Version

• 10.15.0
• 12.4.7
• 12.5.2
• 12.5.3
• 12.7
• 13.0
• 13.0.1
• 13.1
• 13.1.1
• 13.2
• 13.3
• 13.3.1
• 13.4
• 13.4.1
• 13.5
• 13.5.1
• 13.6
• 13.7
• 14.0
• 14.2
• 14.3
• 14.4
• 14.4.1
• 14.4.2
• 14.5
• 14.5.0
• 14.5.1
• 14.6
• 14.7
• 14.7.1
• 14.8
• 15
• 15.0
• 15.0.1
• 15.0.2
• 15.1
• 15.2
• 15.2.1
• 15.3
• 15.3.1
• 15.4
• 15.4.1
• 15.5
• 15.6
• 15.6.1
• 15.7
• 15.7.1
• 15.7.4
• 16.2
• 16.3
• 16.3.1
• 16.4
• 16.4.1
• 16.5
• 16.5.1
• 16.6
• 16.6.1
• 16.7
• 16.7.2
• 16.7.3
• 16.7.6
• 17
• 17.0
• 17.0.3
• 17.1
• 17.2
• 17.3
• 17.4
• 17.4.0
• 17.5
• 17.7
• 17.7.4
• 17.7.5
• 18
• 18.0
• 18.0.1
• 18.1
• 18.2
• 18.3
• 18.3.0
• 18.3.1
• 18.4
• 18.5
• 18.6

License

• commercial

Website

• Vendor: https://www.apple.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion