CVE-2025-43280

MEDIUM
2025-10-15 [email protected]
4.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Oct 15, 2025 - 20:15 nvd
MEDIUM 4.7

Tags

Apple iOS Information Disclosure Ipados Iphone Os

Description

The issue was resolved by not loading remote images. This issue is fixed in iOS 18.6 and iPadOS 18.6. Forwarding an email could display remote images in Mail in Lockdown Mode.

Analysis

Mail in Lockdown Mode on iOS and iPadOS allows information disclosure through remote image loading when forwarding emails, bypassing Lockdown Mode's protections designed to prevent such tracking. Apple released patches in iOS 18.6 and iPadOS 18.6 that prevent remote image loading in this scenario. The vulnerability requires user interaction (forwarding an email) and affects unauthenticated remote attackers, with an EPSS score of 0.03% indicating low real-world exploitation probability despite the network attack vector.

Technical Context

Lockdown Mode is Apple's hardened security configuration designed to protect high-risk users by disabling certain features and enforcing stricter privacy controls. The underlying issue involves CWE-940 (Improper Restriction of Rendered UI Layers or Frames), where the Mail application failed to properly restrict remote image loading within the Lockdown Mode context. When a user forwards an email, the Mail client would still load remote images (typically tracking pixels) despite Lockdown Mode being enabled, allowing remote servers to verify email addresses, infer email forwarding patterns, and potentially identify the user's operational status. The affected products are Apple's iOS (iPhone OS) and iPadOS operating systems, which share the same Mail codebase.

Affected Products

Apple iOS (iPhone OS) and iPadOS operating systems prior to version 18.6 are affected. The CPE identifiers cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* and cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* indicate all previous versions of these operating systems are vulnerable. Specific version boundaries are not enumerated in the provided data, but the fix was introduced in iOS 18.6 and iPadOS 18.6. For detailed advisory information, refer to Apple's security advisory at https://support.apple.com/en-us/124147.

Remediation

Vendor-released patch: iOS 18.6 and iPadOS 18.6. Users should update their iPhone and iPad devices to iOS 18.6 or iPadOS 18.6 or later immediately. The patch modifies Mail's behavior to prevent loading remote images when forwarding emails in Lockdown Mode. No workarounds are available prior to patching. Users concerned about email tracking can manually avoid forwarding emails until their device is updated, though this is not a practical long-term solution. For deployment guidance and security advisory details, consult https://support.apple.com/en-us/124147.

Priority Score

24
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +24
POC: 0

Share

CVE-2025-43280 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy