Medium severity5.5NVD Advisory· Published Nov 4, 2025· Updated Apr 2, 2026

CVE-2025-43345

Description

A correctness issue was addressed with improved checks. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. An app may be able to access sensitive user data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A symlink validation issue in Apple operating systems allowed an app to bypass Privacy preferences and access sensitive user data.

Vulnerability

Overview

CVE-2025-43345 is a correctness issue in Apple's handling of symbolic links (symlinks) that could allow an application to bypass Privacy preferences and access sensitive user data. The root cause was a failure to properly validate symlinks, which Apple addressed with improved validation checks in the affected software versions [1], [4].

Exploitation

An attacker would need to have an app running on a vulnerable device, as the flaw is triggered locally. No additional authentication or special network position is required beyond the app's existing capabilities. The vulnerability arises when the app interacts with the file system through symlinks that are not correctly verified, potentially allowing it to reach protected data [1], [4].

Impact

Successful exploitation enables an app to bypass Privacy preferences, meaning it could read sensitive user data that would otherwise be restricted. The impact is limited to local access and does not allow remote code execution or escalation to kernel-level privileges, but it represents a significant privacy concern [1].

Mitigation

Apple patched this vulnerability in a coordinated release on September 15, 2025, across multiple platforms: iOS 18.7, iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, and watchOS 26 [1], [2], [3], [4]. Users should update to the latest available versions to mitigate the risk. Apple's security advisories note that the company does not disclose, discuss, or confirm security issues until patches are available [1].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Ipados2 versions
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*range: <18.7
- (no CPE)range: < 18.7, < 26
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <18.7
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: >=14.0,<14.8
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <26.0
Apple Inc./Visionos
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Range: <26.0
Apple Inc./watchOS
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Range: <26.0
Cisco Systems, Inc./Cisco iOSllm-fuzzy
Range: < 18.7, < 26
Apple Inc./macOS Sequoiallm-fuzzy
Range: < 15.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/125108nvdRelease NotesVendor Advisory
support.apple.com/en-us/125109nvdRelease NotesVendor Advisory
support.apple.com/en-us/125111nvdRelease NotesVendor Advisory
support.apple.com/en-us/125112nvdRelease NotesVendor Advisory
support.apple.com/en-us/125114nvdRelease NotesVendor Advisory
support.apple.com/en-us/125115nvdRelease NotesVendor Advisory
support.apple.com/en-us/125116nvdRelease NotesVendor Advisory
support.apple.com/en-us/125110nvd

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000