Apple updated several security content pages on 26 May, adding CVE identifiers and vulnerability descriptions for flaws that had been silently patched in previous iOS, macOS, iPadOS, visionOS, and watchOS releases. The retroactive addition of CVE details — a practice Apple has used consistently but irregularly — this week revealed previously undisclosed issues including a root privilege escalation and a Siri Private Browsing privacy bypass.
What Was Retroactively Disclosed
The 26 May updates added technical details to security pages for multiple prior releases. Among the newly disclosed vulnerabilities:
CVE-2025-30468 — CoreServices Root Escalation: A flaw in macOS CoreServices allows a malicious application to escalate privileges to root. The vulnerability exists in the file quarantine attribute handling code used by macOS Gatekeeper. A specially crafted application could manipulate quarantine metadata to trigger the escalation path. This was patched in an earlier macOS release with no advisory beyond the update notes.
Siri Private Browsing Bypass: An issue in the Siri voice assistant allows Siri to access browsing history from a Private Browsing session in response to voice queries, bypassing the privacy isolation Private Browsing is intended to provide. This affects iOS, iPadOS, and Safari on macOS. A CVE was retroactively assigned but the score was not immediately published.
Call History Fingerprinting: A flaw in the Call History framework allows applications to read call history data across users, enabling cross-user fingerprinting. The vulnerability affects multi-user scenarios, which are limited on iOS but present on macOS and visionOS.
Why Retroactive Disclosure Matters for Enterprise Asset Management
The practice of retroactively adding CVE details to security pages creates a specific operational problem for enterprise patch management and vulnerability tracking. When Apple patches a vulnerability without simultaneously publishing a CVE, vulnerability scanners, SIEM rules, and patch management tools that query NVD or CVE.org for new identifiers do not detect the vulnerability. Organisations may have applied the patch — because they track Apple OS updates by version number — but have no vulnerability record associated with the risk.
The retroactive disclosure process then creates a false positive: a new CVE appears in the feed for a vulnerability that was patched months ago, triggering vulnerability management workflows for a risk that was already remediated. The net result is noise rather than signal in the vulnerability management programme.
Recommended Actions
For vulnerability management teams:
- Treat all Apple OS version updates as applying an unknown number of security fixes, not just the ones listed in the contemporaneous advisory
- When new CVEs appear for Apple components with older patch dates, check whether the patched version is already deployed before opening a remediation ticket
- Configure your vulnerability scanner to reconcile Apple CVEs against the OS version installed, not just against the CVE publication date
For privacy and compliance teams:
- The Siri Private Browsing bypass retroactive disclosure may have compliance implications if your data handling policies rely on Private Browsing providing cryptographic or application-level isolation — it does not; it only prevents local storage of history
- The Call History fingerprinting issue is worth reviewing against your multi-user macOS deployment policies
General:
- Subscribe to Apple Security Releases via the RSS feed (
https://support.apple.com/rss/product/en_US/security.rss) — this includes retroactive updates. The CERT/CC and NVD feeds lag by days to weeks.
Share this article