CVE-2025-11598
Unknown Unknown - Not Provided
Information Disclosure via App Switcher in mObywatel iOS App

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: CERT.PL

Description
In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11598
EUVD
EUVD-2025-206765
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor mobywatel 4.71.0
unknown_vendor mobywatel to 4.71.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the mObywatel iOS application allows an unauthorized user to view the account owner's personal information through the iOS App Switcher after the login session has ended. When the app is minimized, the last screen displayed remains visible in the minimized app window without requiring re-authentication, exposing sensitive personal data depending on what was last shown before minimizing. This issue affects all versions below 4.71.0 and was fixed in version 4.71.0. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of your personal information stored in the mObywatel app. Even after logging out, someone with access to your device could see sensitive data through the App Switcher without needing to log in again, potentially compromising your privacy and security. [1]

Detection Guidance

This vulnerability can be detected by verifying if the mObywatel iOS application version installed is below 4.71.0. Since the issue involves sensitive information being visible in the iOS App Switcher after logout, manual testing can be performed by logging out of the app, minimizing it, and checking if personal data is visible in the app's minimized window. There are no specific network or system commands provided to detect this vulnerability. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the mObywatel iOS application to version 4.71.0 or later, where the issue has been fixed. Avoid using versions below 4.71.0 to prevent unauthorized exposure of personal information through the App Switcher. [1]

Compliance Impact

The vulnerability exposes personal information to unauthorized users through the iOS App Switcher after the user ends their login session, which could lead to non-compliance with data protection regulations such as GDPR that require safeguarding personal data against unauthorized access. However, specific impacts on compliance with standards like GDPR or HIPAA are not detailed in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart