CVE-2025-31229
Apple · iOS and iPadOS
A logic flaw in Apple iOS and iPadOS allows the VoiceOver feature to read passcodes aloud, posing a significant privacy risk to users.
Executive summary
A critical logic vulnerability in Apple iOS and iPadOS 18.6 allows unauthorized disclosure of passcodes via the VoiceOver accessibility feature, posing a severe risk to device security.
Vulnerability
This is a logic error within the VoiceOver accessibility interface that fails to properly suppress the verbalization of sensitive passcode information. The vulnerability is accessible to any individual with physical access to the device who can trigger the VoiceOver function.
Business impact
The potential for unauthorized disclosure of device passcodes represents a critical breach of physical and data security. With a CVSS score of 9.1, this vulnerability allows an attacker to bypass authentication controls by simply listening to the device, potentially leading to total compromise of personal or corporate data stored on the handset.
Remediation
Immediate Action: Update all affected iOS and iPadOS devices to version 18.6 or later immediately to apply the necessary logic patches.
Proactive Monitoring: Organizations should monitor for unauthorized physical access attempts and consider disabling VoiceOver or enforcing stricter device lock policies where applicable.
Compensating Controls: Ensure that devices are managed via Mobile Device Management (MDM) solutions to enforce remote locking and data wipe capabilities if a device is reported lost or stolen.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of passcode exposure, all users must prioritize updating to iOS 18.6 and iPadOS 18.6. Failure to patch this vulnerability leaves devices susceptible to unauthorized access through simple interaction with accessibility features.