Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28865

CVE-2026-28865: Apple iPadOS Auth Bypass Vulnerability

CVE-2026-28865 is an authentication bypass flaw in Apple iPadOS that allows attackers in privileged network positions to intercept traffic. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-28865 Overview

CVE-2026-28865 is an authentication weakness affecting multiple Apple operating systems. Apple addressed the issue through improved state management across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. An attacker positioned on the network path between a vulnerable device and a remote service may intercept traffic that should otherwise be protected. The flaw is categorized under [CWE-285] Improper Authorization and stems from incorrect authentication state handling rather than a cryptographic implementation defect. Apple released coordinated patches across its product line, including iOS 18.7.7, iOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4.

Critical Impact

An attacker in a privileged network position can intercept network traffic from unpatched Apple devices, undermining the confidentiality and integrity guarantees of affected sessions.

Affected Products

  • Apple iOS and iPadOS prior to 18.7.7 and prior to 26.4
  • Apple macOS Sonoma prior to 14.8.5, macOS Sequoia prior to 15.7.5, and macOS Tahoe prior to 26.4
  • Apple tvOS, visionOS, and watchOS prior to 26.4

Discovery Timeline

  • 2026-03-25 - CVE-2026-28865 published to the National Vulnerability Database
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-28865

Vulnerability Analysis

The vulnerability resides in authentication state handling across Apple operating systems. Apple's advisories describe the fix as an authentication issue addressed with improved state management. Improper tracking of authentication state allows an adjacent or upstream network attacker to manipulate or observe traffic that should be authenticated. The attack requires no privileges on the target device and no user interaction. Successful exploitation does not directly disclose protected content according to the CVSS confidentiality and integrity ratings, but it disrupts the availability of correctly authenticated communications. The flaw has broad reach because the same component is reused across iOS, macOS, tvOS, visionOS, and watchOS codebases.

Root Cause

The root cause is incorrect management of authentication state within a network-facing component. State transitions did not consistently enforce a valid authenticated context, leaving a window in which an attacker on the network path could insert, modify, or redirect traffic. Apple's remediation introduces stricter state tracking so that operations dependent on authentication only proceed once the expected state is reached.

Attack Vector

Exploitation requires a privileged network position. This typically means an attacker controlling an intermediate hop such as a rogue Wi-Fi access point, a compromised router, an upstream ISP node, or an on-path device using ARP or DNS manipulation. From this vantage point, the attacker triggers the state confusion in the affected component and intercepts otherwise protected traffic. The vulnerability is not remotely exploitable from an arbitrary Internet location without that on-path capability.

No public proof-of-concept code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS data published on 2026-05-14 indicates a low probability of near-term exploitation activity.

Detection Methods for CVE-2026-28865

Indicators of Compromise

  • Unexpected certificate prompts, downgraded TLS sessions, or repeated authentication failures on Apple endpoints connected to untrusted networks.
  • ARP table anomalies, gateway MAC changes, or rogue DHCP responses on segments where Apple devices operate.
  • DNS responses pointing Apple services to non-Apple-owned infrastructure or unfamiliar autonomous systems.

Detection Strategies

  • Inventory Apple endpoints and compare installed OS builds against the fixed versions: iOS/iPadOS 18.7.7 or 26.4, macOS Sonoma 14.8.5, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4.
  • Use mobile device management (MDM) compliance rules to flag devices running pre-patch builds.
  • Inspect VPN, proxy, and TLS inspection logs for anomalous renegotiations or session resets originating from Apple device user agents.

Monitoring Recommendations

  • Monitor enterprise Wi-Fi and wired networks for on-path attack indicators, including unauthorized 802.1X authenticators and ARP spoofing alerts.
  • Alert on Apple OS versions that fall behind vendor-supported builds through endpoint management telemetry.
  • Track outbound connections from Apple devices to known Apple service endpoints and investigate deviations.

How to Mitigate CVE-2026-28865

Immediate Actions Required

  • Deploy the Apple security updates to all affected devices using MDM-driven enforcement.
  • Prioritize devices that routinely connect to untrusted networks, including travel laptops, field iPads, and BYOD iPhones.
  • Require corporate VPN usage on unpatched devices until updates are applied to reduce exposure to on-path attackers.

Patch Information

Apple has released fixes in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Refer to the vendor advisories for build-specific details: Apple Security Update #126792, Apple Security Update #126793, Apple Security Update #126794, Apple Security Update #126795, Apple Security Update #126796, Apple Security Update #126797, Apple Security Update #126798, and Apple Security Update #126799.

Workarounds

  • Restrict use of untrusted Wi-Fi networks and require an enterprise VPN with certificate pinning until patches are applied.
  • Enable strict certificate validation and disable legacy or weak protocol fallbacks on managed Apple devices through configuration profiles.
  • Use network segmentation and 802.1X authentication to reduce the likelihood of an attacker reaching a privileged on-path position.
bash
# Verify installed OS build on macOS and trigger software update check
sw_vers
softwareupdate --list
sudo softwareupdate -ia --restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne