CVE-2025-30426
📋 TL;DR
This vulnerability allows an app to enumerate a user's installed applications without proper authorization. It affects Apple devices running vulnerable versions of visionOS, tvOS, iPadOS, iOS, and macOS. The issue stems from insufficient entitlement checks that should restrict access to installed app information.
💻 Affected Systems
- visionOS
- tvOS
- iPadOS
- iOS
- macOS
📦 What is this software?
Ipados by Apple
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Tvos by Apple
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create a malicious app that maps all installed applications on a device, potentially identifying vulnerable software, tracking user behavior, or preparing for targeted attacks based on installed app profiles.
Likely Case
Malicious apps in app stores could silently collect information about installed applications for advertising profiling, competitive intelligence, or identifying potential attack targets among users.
If Mitigated
With proper app sandboxing and security controls, the impact is limited to information disclosure about installed applications without access to sensitive data within those applications.
🎯 Exploit Status
Exploitation requires developing or modifying an app to bypass entitlement checks. The technical details are not publicly disclosed in the Apple advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4
Vendor Advisory: https://support.apple.com/en-us/122371
Restart Required: Yes
Instructions:
1. Open Settings app. 2. Navigate to General > Software Update. 3. Download and install the latest available update for your device. 4. Restart your device after installation completes.
🔧 Temporary Workarounds
Restrict App Installation
allOnly install apps from trusted sources and review app permissions carefully
Enable App Review
allReview and remove suspicious or unnecessary apps from devices
🧯 If You Can't Patch
- Implement mobile device management (MDM) to control app installation and monitor for suspicious behavior
- Use application allowlisting to restrict which apps can run on managed devices
🔍 How to Verify
Check if Vulnerable:
Check your device's operating system version against the patched versions listed in the affected systems sectionCheck Version:
Settings > General > About > Version (iOS/iPadOS) or System Settings > General > About (macOS)Verify Fix Applied:
Verify your device is running visionOS 2.4 or later, tvOS 18.4 or later, iPadOS 17.7.6 or later, iOS 18.4 or later, or macOS Sequoia 15.4 or later📡 Detection & Monitoring
Log Indicators:
- Unusual app behavior accessing system APIs related to installed applications
- Multiple API calls to enumerate installed apps from a single application
Network Indicators:
- Data exfiltration containing application lists or metadata
SIEM Query:
app:activity AND (api_call:installed_apps OR entitlement_bypass) AND severity:high🔗 References
- https://support.apple.com/en-us/122371
- https://support.apple.com/en-us/122372
- https://support.apple.com/en-us/122373
- https://support.apple.com/en-us/122377
- https://support.apple.com/en-us/122378
- http://seclists.org/fulldisclosure/2025/Apr/11
- http://seclists.org/fulldisclosure/2025/Apr/12
- http://seclists.org/fulldisclosure/2025/Apr/13
- http://seclists.org/fulldisclosure/2025/Apr/4
- http://seclists.org/fulldisclosure/2025/Apr/5
- http://seclists.org/fulldisclosure/2025/Apr/8
