CVE-2025-43428 – This CVE describes an authentication bypass vul... (How to Fix)

Q: What is the severity of CVE-2025-43428?

CVE-2025-43428 has a CVSS score of 9.8 (CRITICAL). This CVE describes an authentication bypass vulnerability in Apple's Photos app where unauthorized users can view photos in the Hidden Photos Album without proper authentication. It affects users of visionOS, iOS, iPadOS, and macOS who have photos in the Hidden Photos Album. The vulnerability stems from insufficient access controls on protected photo content.

📋 TL;DR

This CVE describes an authentication bypass vulnerability in Apple's Photos app where unauthorized users can view photos in the Hidden Photos Album without proper authentication. It affects users of visionOS, iOS, iPadOS, and macOS who have photos in the Hidden Photos Album. The vulnerability stems from insufficient access controls on protected photo content.

💻 Affected Systems

Products:

visionOS
iOS
iPadOS
macOS

Versions: Versions prior to visionOS 26.2, iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2

Operating Systems: Apple visionOS, Apple iOS, Apple iPadOS, Apple macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with photos in the Hidden Photos Album. The vulnerability is present in default configurations when the Hidden Album feature is used.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Visionos by Apple

View all CVEs affecting Visionos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive hidden photos (including personal, financial, or confidential images) could be accessed by unauthorized users, potentially leading to privacy violations, blackmail, or data breaches.

🟠

Likely Case

Unauthorized users with physical or remote access to the device could view hidden photos that were intended to be protected, compromising user privacy.

🟢

If Mitigated

With proper device access controls (passcodes, biometrics) and limited physical access, the risk is reduced but not eliminated as the vulnerability bypasses the Hidden Album's specific protection.

🌐 Internet-Facing: LOW - This primarily requires local device access or remote access through other means; not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - The risk exists when unauthorized users gain access to the device, either physically or through compromised accounts/sessions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows unauthenticated access to protected content, suggesting straightforward exploitation once an attacker gains device access through other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: visionOS 26.2, iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2

Vendor Advisory: https://support.apple.com/en-us/125884

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Go to General > Software Update. 3. Download and install the available update (visionOS 26.2, iOS 26.2, iPadOS 26.2, or macOS Tahoe 26.2). 4. Restart the device when prompted.

🔧 Temporary Workarounds

Disable Hidden Photos Album

all

Remove all photos from the Hidden Photos Album to eliminate the vulnerable target

Open Photos app > Albums > Hidden Album > Select photos > Move to other albums or delete

Enhanced Device Access Controls

all

Implement strict passcode/biometric requirements and limit device access to trusted users only

🧯 If You Can't Patch

Remove all sensitive photos from the Hidden Photos Album and store them in secure encrypted containers instead
Restrict physical access to devices and implement strong authentication controls for all user accounts

🔍 How to Verify

Check if Vulnerable:

Check device version in Settings > General > About > Software Version. If version is earlier than visionOS 26.2, iOS 26.2, iPadOS 26.2, or macOS Tahoe 26.2, the device is vulnerable if it has photos in the Hidden Album.

Check Version:

Settings > General > About > Software Version (iOS/iPadOS/visionOS) or Apple menu > About This Mac > macOS version

Verify Fix Applied:

After updating, verify the software version shows visionOS 26.2, iOS 26.2, iPadOS 26.2, or macOS Tahoe 26.2. Test by attempting to access Hidden Photos Album without proper authentication (should be blocked).

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Photos app, multiple failed authentication attempts followed by successful photo access

Network Indicators:

Not applicable - this is a local authentication bypass vulnerability

SIEM Query:

Not applicable for network-based detection as this is a local device vulnerability

📊 Metadata

CVE ID: CVE-2025-43428

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.12% exploit probability (31.4th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

https://support.apple.com/en-us/125884 Release Notes,Vendor Advisory
https://support.apple.com/en-us/125886 Release Notes,Vendor Advisory
https://support.apple.com/en-us/125891 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43428, you might also want to check these: