Login Sign Up

CVE-2025-24221

7.5 HIGH

📋 TL;DR

This vulnerability allows unauthorized access to sensitive keychain data from iOS backups. Attackers with physical access to backup files could extract passwords, certificates, and other protected credentials. Affects users of visionOS, iOS, and iPadOS who create device backups.

💻 Affected Systems

Products:
  • visionOS
  • iOS
  • iPadOS
Versions: Versions prior to visionOS 2.4, iOS 18.4, iPadOS 18.4, and iPadOS 17.7.6
Operating Systems: iOS, iPadOS, visionOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices where backups are created. Encrypted backups may provide some protection but still vulnerable.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Visionos by Apple

View all CVEs affecting Visionos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all keychain-protected credentials including passwords, certificates, and authentication tokens, leading to account takeovers and data breaches.

🟠

Likely Case

Targeted attackers with access to backup files extract specific credentials for further attacks or data theft.

🟢

If Mitigated

Limited exposure with encrypted backups and proper access controls preventing unauthorized backup access.

🌐 Internet-Facing: LOW - Requires physical or file system access to backup files, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Insider threats or attackers with backup file access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires access to backup files and knowledge of keychain structure. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: visionOS 2.4, iOS 18.4, iPadOS 18.4, iPadOS 17.7.6

Vendor Advisory: https://support.apple.com/en-us/122371

Restart Required: No

Instructions:

1. Open Settings app. 2. Go to General > Software Update. 3. Install available update. 4. Verify version matches patched versions.

🔧 Temporary Workarounds

Disable device backups

all

Prevent creation of vulnerable backup files by disabling iCloud and local backups

Settings > [Your Name] > iCloud > iCloud Backup > Turn Off

Use encrypted backups only

all

Enable backup encryption which provides additional protection layers

Settings > [Your Name] > iCloud > iCloud Backup > Encrypt Backup (toggle on)

🧯 If You Can't Patch

  • Store backup files in encrypted containers with strong access controls
  • Implement strict physical security for backup storage locations

🔍 How to Verify

Check if Vulnerable:

Check iOS/iPadOS/visionOS version in Settings > General > About > Software Version

Check Version:

Settings > General > About > Software Version

Verify Fix Applied:

Confirm version is visionOS 2.4, iOS 18.4, iPadOS 18.4, or iPadOS 17.7.6 or later

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to backup files
  • Unusual backup file access patterns

Network Indicators:

  • Large data transfers of backup files to unauthorized locations

SIEM Query:

source="filesystem" AND (file_path="*backup*" OR file_path="*keychain*") AND action="read" AND user NOT IN [authorized_users]

📊 Metadata

CVE ID: CVE-2025-24221
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-863
EPSS Score: 0.42% exploit probability (61.4th percentile)
Published: March 31, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24221, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)