CVE-2025-31271
📋 TL;DR
This vulnerability allows incoming FaceTime calls to appear or be accepted on locked macOS devices even when lock screen notifications are disabled. This bypasses intended security controls and affects macOS users who rely on device locking for privacy.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
An attacker could initiate a FaceTime call to a locked device, potentially capturing audio/video from the device's surroundings without the owner's knowledge or consent.
Likely Case
Unauthorized individuals could answer FaceTime calls on a locked device, potentially accessing sensitive conversations or information.
If Mitigated
With proper physical security controls and user awareness, the impact is limited to privacy violations rather than system compromise.
🎯 Exploit Status
Exploitation requires only initiating a FaceTime call to a vulnerable device. No special tools or techniques needed beyond standard FaceTime functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Tahoe 26
Vendor Advisory: https://support.apple.com/en-us/125110
Restart Required: Yes
Instructions:
1. Open System Settings 2. Navigate to General > Software Update 3. Install macOS Tahoe 26 update 4. Restart the device when prompted
🔧 Temporary Workarounds
Disable FaceTime
allCompletely disable FaceTime to prevent any incoming calls
Enable Lock Screen Notifications
allAllow FaceTime notifications on lock screen to maintain intended behavior
🧯 If You Can't Patch
- Physically secure devices when not in use to prevent unauthorized access
- Enable Find My and remote wipe capabilities in case device is compromised
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Settings > General > About. If version is earlier than Tahoe 26, device is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version is Tahoe 26 or later and test that FaceTime calls no longer appear on locked device with notifications disabled.📡 Detection & Monitoring
Log Indicators:
- FaceTime call logs showing calls answered while device was locked
- System logs showing FaceTime activity during locked state
Network Indicators:
- FaceTime network traffic originating from locked devices
SIEM Query:
source="macos" AND (process="FaceTime" OR event="FaceTime call") AND device_state="locked"