CVE-2025-43356
📋 TL;DR
This vulnerability allows malicious websites to access device sensor data (like motion, orientation, or environmental sensors) without obtaining user permission. It affects Apple devices running vulnerable versions of Safari, iOS, iPadOS, tvOS, watchOS, and visionOS. Users who visit compromised websites could have their sensor data collected surreptitiously.
💻 Affected Systems
- Safari
- iOS
- iPadOS
- tvOS
- watchOS
- visionOS
📦 What is this software?
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Safari by Apple
Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Attackers could collect sensitive motion, orientation, or environmental data to infer user activities, location patterns, or device usage behaviors without consent, potentially enabling physical tracking or behavioral profiling.
Likely Case
Malicious websites silently collect sensor data to enhance fingerprinting capabilities, track user movements, or gather contextual information for targeted attacks.
If Mitigated
With proper patching, websites cannot access sensors without explicit user consent, maintaining expected privacy controls.
🎯 Exploit Status
Exploitation requires user to visit a malicious website; no authentication bypass needed beyond website access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Safari 26, tvOS 26, watchOS 26, iOS 26, iPadOS 26, visionOS 26, iOS 18.7, iPadOS 18.7
Vendor Advisory: https://support.apple.com/en-us/125108
Restart Required: No
Instructions:
1. Open Settings app. 2. Navigate to General > Software Update. 3. Install available updates for your device. 4. For Safari on macOS, update through System Preferences > Software Update.
🔧 Temporary Workarounds
Disable JavaScript for untrusted sites
iOS/iPadOSPrevents malicious websites from executing JavaScript that could exploit the sensor access vulnerability.
Settings > Safari > Advanced > JavaScript > Toggle off
Use alternative browser
allSwitch to a non-Safari browser that is not affected by this specific vulnerability.
🧯 If You Can't Patch
- Restrict browsing to trusted websites only and avoid unknown or suspicious links.
- Enable strict content blockers and privacy extensions that limit sensor API access.
🔍 How to Verify
Check if Vulnerable:
Check device version in Settings > General > About > Software Version. If version is below the patched versions listed, device is vulnerable.Check Version:
On iOS/iPadOS: Settings > General > About > Software Version. On macOS: Apple menu > About This Mac > Software Update.Verify Fix Applied:
Confirm device version matches or exceeds Safari 26, tvOS 26, watchOS 26, iOS 26, iPadOS 26, visionOS 26, iOS 18.7, or iPadOS 18.7.📡 Detection & Monitoring
Log Indicators:
- Unusual sensor API calls in web browser logs without corresponding user consent events
- Multiple sensor data requests from single website sessions
Network Indicators:
- HTTP requests to known malicious domains attempting sensor data exfiltration
- Unusual data patterns in outbound traffic from browsers
SIEM Query:
source="browser_logs" AND (event="sensor_access" OR api_call="DeviceMotionEvent" OR api_call="DeviceOrientationEvent") AND user_consent="false"🔗 References
- https://support.apple.com/en-us/125108
- https://support.apple.com/en-us/125109
- https://support.apple.com/en-us/125113
- https://support.apple.com/en-us/125114
- https://support.apple.com/en-us/125115
- https://support.apple.com/en-us/125116
- http://seclists.org/fulldisclosure/2025/Sep/49
- http://seclists.org/fulldisclosure/2025/Sep/53
- http://seclists.org/fulldisclosure/2025/Sep/56
- http://seclists.org/fulldisclosure/2025/Sep/57
- http://seclists.org/fulldisclosure/2025/Sep/59
- http://www.openwall.com/lists/oss-security/2025/09/22/3
