CVE-2025-43225

MEDIUM
2025-07-30 [email protected]
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Jul 30, 2025 - 00:15 nvd
MEDIUM 5.5

Tags

Apple iOS macOS Information Disclosure Ipados

Description

A logging issue was addressed with improved data redaction. This issue is fixed in iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access sensitive user data.

Analysis

Local apps can access sensitive user data through inadequate log redaction in iPadOS and macOS, allowing information disclosure when a user interacts with a malicious application. Apple has released patches for iPadOS 17.7.9 and macOS versions 15.6 (Sequoia), 14.7.7 (Sonoma), and 13.7.7 (Ventura) that implement improved data redaction in logging. The EPSS score of 0.01% and absence of public exploit code indicate low real-world exploitation likelihood despite moderate CVSS scoring.

Technical Context

This vulnerability stems from CWE-532 (Insertion of Sensitive Information into Log File), where logging mechanisms on macOS and iPadOS fail to adequately redact sensitive user data before writing to logs. The root cause involves insufficient sanitization of logging output, allowing local applications to access unredacted sensitive information through standard system logging facilities. The local attack vector (AV:L) and lack of privilege requirement (PR:N) indicate that any local application with user-level access can exploit this flaw when a user interacts with a malicious app (UI:R). This affects Apple's core operating systems across multiple recent versions: iPadOS 17.x, macOS Sequoia 15.x, macOS Sonoma 14.x, and macOS Ventura 13.x.

Affected Products

CVE-2025-43225 affects multiple Apple operating systems: iPadOS up to version 17.7.8 (fixed in 17.7.9), macOS Sequoia up to version 15.5 (fixed in 15.6), macOS Sonoma up to version 14.7.6 (fixed in 14.7.7), and macOS Ventura up to version 13.7.6 (fixed in 13.7.7). The CPE strings indicate the vulnerability exists across all minor versions of these major releases prior to the stated fixes. Apple security advisories are available at https://support.apple.com/en-us/124148 (Sequoia), https://support.apple.com/en-us/124149 (Sonoma), https://support.apple.com/en-us/124150 (Ventura), and https://support.apple.com/en-us/124151 (iPadOS).

Remediation

Vendor-released patches are available and should be deployed: update iPadOS to 17.7.9 or later, macOS Sequoia to 15.6 or later, macOS Sonoma to 14.7.7 or later, or macOS Ventura to 13.7.7 or later. These patched versions implement improved data redaction in logging systems to prevent unauthorized access to sensitive information. Users should apply updates through the standard iOS/macOS Software Update mechanism (Settings > General > Software Update). No workarounds are documented; patching is the only mitigation. Complete advisory details are available at the Apple support pages referenced above.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-43225 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy