Skip to main content

iOS CVE-2025-43280

MEDIUM
Improper Verification of Source of a Communication Channel (CWE-940)
2025-10-15 product-security@apple.com
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Oct 15, 2025 - 20:15 nvd
MEDIUM 4.7

DescriptionCVE.org

The issue was resolved by not loading remote images. This issue is fixed in iOS 18.6 and iPadOS 18.6. Forwarding an email could display remote images in Mail in Lockdown Mode.

AnalysisAI

Mail in Lockdown Mode on iOS and iPadOS allows information disclosure through remote image loading when forwarding emails, bypassing Lockdown Mode's protections designed to prevent such tracking. Apple released patches in iOS 18.6 and iPadOS 18.6 that prevent remote image loading in this scenario. The vulnerability requires user interaction (forwarding an email) and affects unauthenticated remote attackers, with an EPSS score of 0.03% indicating low real-world exploitation probability despite the network attack vector.

Technical ContextAI

Lockdown Mode is Apple's hardened security configuration designed to protect high-risk users by disabling certain features and enforcing stricter privacy controls. The underlying issue involves CWE-940 (Improper Restriction of Rendered UI Layers or Frames), where the Mail application failed to properly restrict remote image loading within the Lockdown Mode context. When a user forwards an email, the Mail client would still load remote images (typically tracking pixels) despite Lockdown Mode being enabled, allowing remote servers to verify email addresses, infer email forwarding patterns, and potentially identify the user's operational status. The affected products are Apple's iOS (iPhone OS) and iPadOS operating systems, which share the same Mail codebase.

RemediationAI

Vendor-released patch: iOS 18.6 and iPadOS 18.6. Users should update their iPhone and iPad devices to iOS 18.6 or iPadOS 18.6 or later immediately. The patch modifies Mail's behavior to prevent loading remote images when forwarding emails in Lockdown Mode. No workarounds are available prior to patching. Users concerned about email tracking can manually avoid forwarding emails until their device is updated, though this is not a practical long-term solution. For deployment guidance and security advisory details, consult https://support.apple.com/en-us/124147.

More in iOS

View all
CVE-2023-43000 HIGH POC
8.8 Nov 05

A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-20700 HIGH POC
7.8 Feb 11

Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CV

CVE-2023-41974 HIGH POC
7.8 Jan 10

A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 7.8), this vulnerability

CVE-2014-7992 MEDIUM POC
5.0 Nov 18

The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensiti

CVE-2022-48618 HIGH
7.0 Jan 09

The issue was addressed with improved checks. Rated high severity (CVSS 7.0). Actively exploited in the wild (cisa kev)

CVE-2025-66555 HIGH POC
8.8 Dec 04

AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type

CVE-2025-46335 HIGH POC
8.6 May 05

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mo

CVE-2021-1385 MEDIUM POC
6.5 Mar 24

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticate

CVE-2026-31852 CRITICAL
10.0 Mar 11

Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.

CVE-2025-43234 CRITICAL
9.8 Jul 30

Memory corruption vulnerabilities in Apple's graphics texture processing engine across iOS, iPadOS, macOS, tvOS, visionO

CVE-2025-43186 CRITICAL
9.8 Jul 30

Buffer overflow memory corruption in Apple file parsing components allows remote code execution across iOS 18.6, iPadOS

CVE-2023-40414 CRITICAL
9.8 Jan 10

A use-after-free issue was addressed with improved memory management. Rated critical severity (CVSS 9.8), this vulnerabi

Share

CVE-2025-43280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy