Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-46287

CVE-2025-46287: Apple macOS Auth Bypass Vulnerability

CVE-2025-46287 is an authentication bypass flaw in Apple macOS that allows attackers to spoof FaceTime caller IDs through UI inconsistency. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2025-46287 Overview

CVE-2025-46287 is a user interface inconsistency vulnerability affecting multiple Apple operating systems. The flaw allows an attacker to spoof their FaceTime caller ID, presenting misleading caller information to the recipient. Apple addressed the issue with improved state management across iOS, iPadOS, macOS, visionOS, and watchOS. The weakness maps to [CWE-451] (User Interface Misrepresentation of Critical Information), a class of flaw commonly leveraged in social engineering. Successful exploitation supports impersonation attacks against FaceTime users.

Critical Impact

An attacker can misrepresent their identity on incoming FaceTime calls, enabling impersonation and social engineering against targeted users.

Affected Products

  • Apple iOS and iPadOS prior to 18.7.3 and 26.2
  • Apple macOS Sequoia prior to 15.7.3, macOS Sonoma prior to 14.8.3, and macOS Tahoe prior to 26.2
  • Apple visionOS and watchOS prior to 26.2

Discovery Timeline

  • 2025-12-12 - CVE-2025-46287 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-46287

Vulnerability Analysis

The vulnerability resides in FaceTime's user interface state handling. When an incoming call is negotiated, the caller identity displayed to the recipient can be manipulated because the UI state is not consistently synchronized with the underlying authenticated caller data. This produces a mismatch between what the recipient sees and the actual originating account. The issue is classified under [CWE-451], covering user interface misrepresentation of security-relevant information. Apple resolved the flaw through improved state management in the FaceTime call presentation layer.

Root Cause

The root cause is inconsistent state management within the FaceTime caller identity display logic. The UI component rendering the caller ID relied on state that could diverge from the authenticated identity established during call setup. Without a single source of truth for caller identity at render time, attackers could influence the display to show a caller ID different from the actual originator.

Attack Vector

Exploitation requires no privileges and no user interaction beyond receiving a FaceTime call. The attack occurs over the network through the standard FaceTime call setup process. An attacker initiates a FaceTime call while manipulating the identity data path so the recipient's device presents a spoofed caller ID. The primary impact is impersonation, enabling downstream phishing, fraud, and social engineering. See the Apple Support advisories for platform-specific technical notes.

No public proof-of-concept code is available for this issue, and no exploitation in the wild has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-46287

Indicators of Compromise

  • Reports from users of FaceTime calls displaying caller IDs belonging to known contacts, executives, or trusted brands that later prove to be fraudulent.
  • FaceTime call logs showing incoming calls from Apple IDs or phone numbers inconsistent with the displayed caller identity.
  • Follow-on social engineering activity, such as credential requests or wire transfer instructions, referencing a recent FaceTime call.

Detection Strategies

  • Correlate FaceTime call metadata from unified logging with reported impersonation incidents to identify spoofing patterns.
  • Monitor macOS endpoints for outdated FaceTime-capable OS builds using inventory data and vulnerability management scans.
  • Flag user-reported voice or video impersonation events for review, particularly those preceding financial or credential-related requests.

Monitoring Recommendations

  • Track macOS and iOS version compliance against the fixed builds (15.7.3, 14.8.3, 26.2, 18.7.3) across managed devices.
  • Ingest MDM and endpoint telemetry into a centralized data lake to identify devices still exposed to the flaw.
  • Include FaceTime-based impersonation scenarios in phishing and social engineering awareness training and reporting workflows.

How to Mitigate CVE-2025-46287

Immediate Actions Required

  • Update all Apple devices to the fixed OS versions: iOS/iPadOS 18.7.3 or 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, visionOS 26.2, and watchOS 26.2.
  • Enforce update compliance through Mobile Device Management (MDM) policies for corporate-managed Apple fleets.
  • Advise users to verify sensitive requests received via FaceTime through a secondary trusted channel until patching completes.

Patch Information

Apple released fixes across the affected platforms. Refer to the vendor advisories: Apple Support #125887 and Apple Support #125888 for macOS, and Apple Support #125884, #125885, #125886, #125890, and #125891 for the remaining Apple operating systems. Install the corresponding update for each platform to remediate the issue.

Workarounds

  • Disable FaceTime on high-risk accounts until updates are applied by toggling FaceTime off in system settings.
  • Restrict FaceTime to known contacts using the built-in call filtering and silence-unknown-callers features.
  • Train employees to treat unverified FaceTime callers as untrusted and to confirm identity through an out-of-band channel before acting on requests.
bash
# Verify macOS build meets the patched version on managed endpoints
sw_vers -productVersion

# Example MDM compliance check (pseudocode)
# Require macOS >= 15.7.3 (Sequoia), 14.8.3 (Sonoma), or 26.2 (Tahoe)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.