CVE-2025-24090 – This CVE describes an information disclosure vu... (How to Fix)

Q: What is the severity of CVE-2025-24090?

CVE-2025-24090 has a CVSS score of 3.3 (LOW). This CVE describes an information disclosure vulnerability in iOS/iPadOS where malicious apps could enumerate which other apps are installed on a device. This affects users running iOS/iPadOS versions before 18.3.

📋 TL;DR

This CVE describes an information disclosure vulnerability in iOS/iPadOS where malicious apps could enumerate which other apps are installed on a device. This affects users running iOS/iPadOS versions before 18.3.

💻 Affected Systems

Products:

iOS
iPadOS

Versions: Versions before iOS 18.3 and iPadOS 18.3

Operating Systems: iOS, iPadOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Apple mobile devices; requires malicious app installation through App Store or enterprise distribution.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could profile a user's device, identifying installed apps to target for further attacks or gather personal information about user interests/habits.

🟠

Likely Case

Malicious apps could collect app installation data for advertising profiling or targeted phishing campaigns.

🟢

If Mitigated

With proper app sandboxing and App Store review, exploitation would be limited to apps that bypass Apple's security controls.

🌐 Internet-Facing: LOW - This requires a malicious app to be installed on the device, not direct internet exposure.

🏢 Internal Only: MEDIUM - Within an organization, a malicious app could profile employee devices, but requires app installation first.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a malicious app to be installed on the target device with appropriate permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 18.3 and iPadOS 18.3

Vendor Advisory: https://support.apple.com/en-us/122066

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Tap General. 3. Tap Software Update. 4. Download and install iOS 18.3/iPadOS 18.3. 5. Device will restart automatically.

🔧 Temporary Workarounds

Restrict App Installation Sources

all

Only install apps from trusted sources and avoid sideloading or enterprise app distribution unless necessary.

🧯 If You Can't Patch

Implement Mobile Device Management (MDM) to control which apps can be installed on corporate devices.
Educate users about only installing apps from the official App Store and reviewing app permissions carefully.

🔍 How to Verify

Check if Vulnerable:

Check iOS/iPadOS version in Settings > General > About > Software Version. If version is below 18.3, device is vulnerable.

Check Version:

Not applicable for iOS/iPadOS - use Settings app interface.

Verify Fix Applied:

After updating, verify Software Version shows 18.3 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual app permission requests for app enumeration APIs
Suspicious app behavior logs in device management systems

Network Indicators:

Unusual network traffic from apps sending device profiling data

SIEM Query:

Not typically applicable as this is a local device vulnerability requiring app installation.

📊 Metadata

CVE ID: CVE-2025-24090

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.01% exploit probability (1th percentile)

Published: January 16, 2026

Last Updated: January 27, 2026

🔗 References

https://support.apple.com/en-us/122066 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24090, you might also want to check these: