CVE-2025-31271 Overview
CVE-2025-31271 is an authentication bypass vulnerability in Apple macOS that allows incoming FaceTime calls to appear or be accepted on a locked macOS device, even when notifications are disabled on the lock screen. This vulnerability stems from improper state management in macOS's handling of FaceTime calls, effectively bypassing the lock screen security controls that users rely on to protect their devices from unauthorized access.
Critical Impact
Unauthorized users with physical or network access can view incoming FaceTime calls and potentially accept them on a locked macOS device, bypassing notification and privacy settings configured by the user.
Affected Products
- Apple macOS (versions prior to macOS Tahoe 26)
Discovery Timeline
- 2025-09-15 - CVE-2025-31271 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-31271
Vulnerability Analysis
This vulnerability is classified under CWE-287 (Improper Authentication), indicating a fundamental flaw in how macOS validates user authentication state when processing incoming FaceTime calls. The issue resides in the state management logic that fails to properly enforce lock screen restrictions for FaceTime notifications and call acceptance.
When a macOS device is locked, the system should prevent any notifications from appearing if the user has explicitly disabled lock screen notifications. However, due to the improper state management, the FaceTime application does not correctly query or respect the device's locked state and user notification preferences. This allows the FaceTime call interface to bypass these security controls entirely.
The network-based attack vector means that any remote caller can trigger this vulnerability simply by initiating a FaceTime call to the target device. No user interaction is required beyond the initial configuration that should have prevented such notifications from appearing.
Root Cause
The root cause lies in improper state management within macOS's FaceTime call handling subsystem. The system fails to properly synchronize the device lock state with the FaceTime notification and call acceptance logic, resulting in a race condition or state confusion where FaceTime operates as if the device is unlocked when it is not. This represents a failure to implement proper authentication checks at the point where incoming calls are processed and displayed.
Attack Vector
The vulnerability can be exploited remotely over the network without requiring any authentication or privileges. An attacker needs only to know the victim's FaceTime contact information (phone number or Apple ID email). The attack flow is as follows:
- The attacker initiates a FaceTime call to the target macOS device
- Despite the device being locked and having lock screen notifications disabled, the incoming call notification appears on screen
- The call may be viewable or even acceptable without unlocking the device
- This exposes the victim's presence and potentially allows for social engineering or eavesdropping if the call is answered
The vulnerability primarily impacts integrity by allowing unauthorized actions (viewing/accepting calls) to occur on a locked device, circumventing the user's security preferences.
Detection Methods for CVE-2025-31271
Indicators of Compromise
- FaceTime call logs showing answered calls during times when the device should have been locked
- User reports of unexpected FaceTime call notifications appearing on locked devices
- Evidence of FaceTime sessions initiated without proper device unlock authentication in system logs
Detection Strategies
- Review FaceTime call history and correlate with device unlock/lock events to identify calls answered while device was locked
- Monitor system logs for FaceTime activity that occurs without corresponding user authentication events
- Implement endpoint monitoring to track application state changes relative to screen lock status
Monitoring Recommendations
- Deploy endpoint detection solutions that can correlate application activity with device lock state
- Enable detailed logging for FaceTime and screen lock events on macOS devices
- Alert on FaceTime call activity patterns that suggest bypass of lock screen controls
How to Mitigate CVE-2025-31271
Immediate Actions Required
- Update all affected macOS systems to macOS Tahoe 26 or later immediately
- Temporarily disable FaceTime on devices that cannot be immediately updated if the lock screen bypass poses significant risk
- Review FaceTime call logs for any unauthorized call acceptance during locked states
Patch Information
Apple has addressed this vulnerability in macOS Tahoe 26 through improved state management. The patch ensures that FaceTime properly respects the device lock state and user notification preferences. Users and administrators should apply this update as soon as possible. Detailed patch information is available in the Apple Support Document.
Additional technical details regarding the vulnerability disclosure can be found in the Full Disclosure Post.
Workarounds
- Disable FaceTime entirely via System Preferences/Settings until the patch can be applied
- Ensure physical security of macOS devices to prevent unauthorized parties from viewing or interacting with the lock screen
- Consider enabling additional authentication requirements for FaceTime if available in your macOS version
- Use Mobile Device Management (MDM) solutions to remotely disable FaceTime on managed devices
# Disable FaceTime from Terminal (requires admin privileges)
sudo defaults write /Library/Preferences/com.apple.FaceTime FaceTimeOff -bool true
# Verify the setting is applied
defaults read /Library/Preferences/com.apple.FaceTime FaceTimeOff
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
