CVE-2025-43454 Overview
CVE-2025-43454 is an access control vulnerability [CWE-284] affecting Apple iOS and iPadOS. The flaw allows a device to persistently fail to lock under specific conditions. Apple addressed the issue through improved state management in iOS 18.7.2, iPadOS 18.7.2, iOS 26.1, and iPadOS 26.1.
The vulnerability stems from improper state handling within the device locking mechanism. A device that fails to lock exposes its contents and active sessions to anyone with physical proximity. This undermines the foundational confidentiality control that mobile operating systems rely on to protect user data at rest.
Critical Impact
An iPhone or iPad may persistently remain unlocked, exposing sensitive data, applications, and authenticated sessions to unauthorized physical access.
Affected Products
- Apple iOS versions prior to 18.7.2 and prior to 26.1
- Apple iPadOS versions prior to 18.7.2 and prior to 26.1
- iPhone and iPad devices running the affected operating system builds
Discovery Timeline
- 2025-11-04 - CVE-2025-43454 published to the National Vulnerability Database
- 2025-12-17 - Last updated in NVD database
Technical Details for CVE-2025-43454
Vulnerability Analysis
The vulnerability resides in the device lock state machine of iOS and iPadOS. Under specific conditions, the operating system fails to transition the device into the locked state when expected. The device remains accessible without prompting for the passcode, Face ID, or Touch ID.
Apple categorizes this as a state management defect. The lock subsystem coordinates input from the side button, timeout timers, and proximity sensors to enforce the locked state. When state transitions are mishandled, the device can settle into an inconsistent state where the lock is never engaged.
The impact targets confidentiality. An unlocked device exposes mail, messages, banking applications, stored credentials, and corporate data. The flaw does not require credentials or user interaction from the attacker, but successful exploitation requires physical access to the affected device.
Root Cause
The root cause is improper state management within the iOS and iPadOS lock workflow [CWE-284]. The operating system did not consistently enforce the locked state across all paths that should trigger it. Apple's advisory states the fix addresses the issue through improved state management.
Attack Vector
The attack vector is local physical access despite the network scoring in CVSS. An adversary who obtains physical custody of a vulnerable device while it is in the failed-lock state can interact directly with the user interface. No exploitation code is required because the device presents an authenticated session.
No public proof-of-concept is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Apple has not disclosed reports of in-the-wild exploitation. See the Apple Support Document #125632 and Apple Support Document #125633 for vendor details.
Detection Methods for CVE-2025-43454
Indicators of Compromise
- Mobile devices reporting iOS or iPadOS builds older than 18.7.2 or 26.1 in mobile device management (MDM) inventory
- User reports of devices that do not engage the lock screen after the auto-lock timeout
- Anomalous application activity on managed devices outside of typical user working hours
Detection Strategies
- Query MDM platforms for device OS versions and flag any iPhone or iPad running an unpatched build
- Correlate authentication telemetry from corporate applications to identify sessions originating from devices that should have been locked
- Review mobile threat defense logs for compliance failures tied to lock-screen policy enforcement
Monitoring Recommendations
- Enforce MDM compliance rules that require minimum OS versions of iOS 18.7.2 or iOS 26.1
- Alert on devices that fail to report screen-lock policy compliance within defined intervals
- Monitor for unusual access to enterprise resources from mobile devices that bypass conditional access posture checks
How to Mitigate CVE-2025-43454
Immediate Actions Required
- Update all iPhones to iOS 18.7.2 or iOS 26.1 through Settings, General, Software Update
- Update all iPads to iPadOS 18.7.2 or iPadOS 26.1 through the same Software Update path
- Push the required minimum OS version through MDM and quarantine non-compliant devices from corporate resources
- Instruct users to manually lock devices using the side button rather than relying on auto-lock until patching is complete
Patch Information
Apple released fixes in iOS 18.7.2, iPadOS 18.7.2, iOS 26.1, and iPadOS 26.1. The patch implements improved state management within the device lock subsystem. Patch details are documented in Apple Support Document #125632 and Apple Support Document #125633.
Workarounds
- Manually press the side or top button to lock the device each time it is set down
- Reduce the auto-lock interval under Settings, Display & Brightness, Auto-Lock to the shortest available option
- Restrict Lock Screen widget and notification exposure to limit data shown if the device remains unlocked
- Apply MDM configuration profiles that require passcode entry after each device wake event where supported
# Configuration example: verify installed iOS version on a managed device
softwareupdate --list-full-installers
# On the device, navigate to: Settings > General > About > Software Version
# Confirm version is 18.7.2, 26.1, or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
