CVE-2025-24220 – This CVE describes a permissions vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-24220?

CVE-2025-24220 has a CVSS score of 5.5 (MEDIUM). This CVE describes a permissions vulnerability in iOS/iPadOS that allows apps to read persistent device identifiers without proper authorization. This affects users running iOS/iPadOS versions before 18.4. The issue could enable tracking and fingerprinting of Apple devices.

📋 TL;DR

This CVE describes a permissions vulnerability in iOS/iPadOS that allows apps to read persistent device identifiers without proper authorization. This affects users running iOS/iPadOS versions before 18.4. The issue could enable tracking and fingerprinting of Apple devices.

💻 Affected Systems

Products:

iOS
iPadOS

Versions: Versions before iOS 18.4 and iPadOS 18.4

Operating Systems: iOS, iPadOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected iOS/iPadOS versions are vulnerable. Requires app installation to exploit.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious app could persistently track user across different apps/services, enabling targeted attacks, profiling, or correlation of user activities across multiple applications.

🟠

Likely Case

Advertising/tracking SDKs or legitimate apps with excessive permissions could access device identifiers for analytics or fingerprinting purposes, potentially violating user privacy expectations.

🟢

If Mitigated

With proper app review and sandboxing, impact is limited to apps that have already been approved through App Store review process.

🌐 Internet-Facing: LOW - This is a local app vulnerability requiring app installation, not directly exploitable over internet.

🏢 Internal Only: MEDIUM - Enterprise MDM-managed devices could be affected if malicious enterprise apps are deployed, but requires app installation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - App simply needs to request the identifier through vulnerable API.

Exploitation requires user to install a malicious app or an app with vulnerable SDK. App Store review process provides some protection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 18.4 and iPadOS 18.4

Vendor Advisory: https://support.apple.com/en-us/122371

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Tap General. 3. Tap Software Update. 4. Download and install iOS 18.4/iPadOS 18.4 update. 5. Device will restart automatically.

🔧 Temporary Workarounds

Restrict App Installation

all

Only install apps from trusted sources and review app permissions carefully.

Review App Permissions

all

Regularly review and revoke unnecessary app permissions in Settings.

🧯 If You Can't Patch

Implement Mobile Device Management (MDM) to control app installation and enforce security policies.
Use enterprise app vetting processes and only allow installation of approved, verified applications.

🔍 How to Verify

Check if Vulnerable:

Check iOS/iPadOS version in Settings > General > About > Software Version. If version is earlier than 18.4, device is vulnerable.

Check Version:

Not applicable - check via device Settings UI

Verify Fix Applied:

After updating, verify version shows iOS 18.4 or iPadOS 18.4 in Settings > General > About > Software Version.

📡 Detection & Monitoring

Log Indicators:

App Store review logs showing apps requesting device identifiers
MDM logs showing app installation attempts

Network Indicators:

Unusual device identifier transmission to analytics/tracking endpoints

SIEM Query:

Not typically applicable for mobile device vulnerabilities of this nature

📊 Metadata

CVE ID: CVE-2025-24220

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: May 12, 2025

Last Updated: November 3, 2025

🔗 References

https://support.apple.com/en-us/122371 Release Notes,Vendor Advisory
http://seclists.org/fulldisclosure/2025/Jul/31
http://seclists.org/fulldisclosure/2025/May/6

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24220, you might also want to check these: