CVE-2025-24090 Overview
CVE-2025-24090 is an information disclosure vulnerability in Apple iOS and iPadOS caused by a permissions issue that allows malicious applications to enumerate installed apps on a user's device. This vulnerability stems from insufficient access restrictions (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), enabling apps to gather data about other applications installed on the device without proper authorization.
Critical Impact
A malicious application can enumerate a user's installed apps, potentially enabling privacy violations, targeted attacks, and profiling of user behavior.
Affected Products
- iOS versions prior to 18.3
- iPadOS versions prior to 18.3
Discovery Timeline
- 2026-01-16 - CVE CVE-2025-24090 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-24090
Vulnerability Analysis
This vulnerability represents a permissions issue in Apple's mobile operating systems where access restrictions were insufficient to prevent applications from querying information about other installed apps. The flaw allows a locally installed application to enumerate what other apps a user has installed on their device.
While this may seem relatively benign at first glance, installed app enumeration can be used for various malicious purposes. Attackers can use this information to identify potentially vulnerable applications, determine if security tools are installed (to evade detection), or build profiles of user behavior and interests based on their app portfolio.
The vulnerability requires local access through a malicious app that must already be installed on the device. No user interaction is required once the malicious app is running, and the attack can proceed without elevated privileges.
Root Cause
The root cause is a permissions issue where the operating system did not adequately restrict access to APIs or system data that reveal information about installed applications. Apple addressed this by implementing additional restrictions to properly enforce access controls around app enumeration capabilities.
Attack Vector
The attack vector is local, requiring a malicious application to be installed on the target device. Once installed, the attacker's app can query the system to determine which other applications are present. This could be achieved through various iOS APIs that were not properly restricted.
The attacker could distribute a seemingly legitimate app through the App Store or enterprise distribution that contains code to enumerate installed apps. The collected information could then be exfiltrated to command and control servers for analysis and targeting purposes.
Detection Methods for CVE-2025-24090
Indicators of Compromise
- Applications making unusual or excessive queries to app management APIs
- Network traffic containing lists of installed application bundle identifiers
- Apps attempting to access sandbox-restricted areas related to app enumeration
- Unexpected background activity from apps that don't require such functionality
Detection Strategies
- Monitor for applications querying app installation status APIs at high frequency
- Implement network traffic analysis to detect exfiltration of app enumeration data
- Use mobile device management (MDM) solutions to monitor app behavior
- Review app permissions and behaviors for signs of information gathering
Monitoring Recommendations
- Deploy SentinelOne Singularity Mobile to detect anomalous app behaviors on iOS devices
- Enable comprehensive logging on MDM platforms to capture suspicious API usage
- Monitor for data exfiltration patterns indicating app enumeration data being transmitted
- Implement behavioral analysis to identify apps performing reconnaissance activities
How to Mitigate CVE-2025-24090
Immediate Actions Required
- Update all iOS devices to version 18.3 or later immediately
- Update all iPadOS devices to version 18.3 or later immediately
- Audit installed applications and remove any untrusted or suspicious apps
- Review enterprise-deployed applications for potential malicious behavior
Patch Information
Apple has addressed this vulnerability in iOS 18.3 and iPadOS 18.3 by implementing additional restrictions to prevent unauthorized app enumeration. Organizations and users should apply these updates as soon as possible. For detailed information about the security content of this update, refer to the Apple Support Article.
Workarounds
- Restrict app installation to only trusted sources and approved applications
- Implement MDM policies to limit app installation capabilities on managed devices
- Remove unnecessary or untrusted applications from devices until patching is complete
- Use application allowlisting where possible to prevent potentially malicious apps from being installed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
