CVE-2025-43360

Description

The issue was addressed with improved UI. This issue is fixed in iOS 26 and iPadOS 26. Password fields may be unintentionally revealed.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE

iOS < 26

iPadOS < 26

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-43360 PoC - UI-based Password Field Information Disclosure
// This PoC demonstrates the vulnerability concept (for authorized testing only)

// Note: This is a conceptual PoC as the actual exploitation requires specific UI interactions
// The vulnerability allows password field content to be revealed under certain conditions

// Simulated attack scenario:
function simulatePasswordDisclosure() {
    // Step 1: Trigger specific UI state that reveals password field
    // This may involve rapid UI state transitions or specific interaction sequences
    
    // Step 2: Access the password field through:
    // - Accessibility APIs (if permissions allow)
    // - UI state inspection
    // - System log extraction
    
    // Step 3: Extract password content
    const passwordField = document.querySelector('input[type="password"]');
    if (passwordField) {
        // Attempt to read password value
        const password = passwordField.value;
        console.log('Password captured:', password);
    }
}

// Mitigation: Update to iOS 26 / iPadOS 26 or later
// The vulnerability was fixed by improved UI handling in Apple security updates

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-43360
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-43360
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-43360/
[4] VulDB https://vuldb.com/cve/CVE-2025-43360
[5] https://support.apple.com/en-us/125108

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-43360", "sourceIdentifier": "[email protected]", "published": "2025-11-04T02:15:43.570", "lastModified": "2025-12-01T20:15:50.750", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved UI. This issue is fixed in iOS 26 and iPadOS 26. Password fields may be unintentionally revealed."}, {"lang": "es", "value": "El problema se abordó con una UI mejorada. Este problema está solucionado en iOS 26 y iPadOS 26. Los campos de contraseña pueden ser revelados involuntariamente."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "C4221CFD-0208-42B8-AACA-1BE6AEC3BA9A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "68DCA17A-424E-4EE3-B005-0F2E42407226"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125108", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}