PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7634 Apple CVE debrief

CVE-2016-7634 is a local, physical-proximity information-disclosure issue in Apple iOS Accessibility. The problem is that spoken passwords can be accepted without accounting for the fact that they are locally audible, which can expose sensitive authentication material to someone nearby.

Vendor
Apple
Product
CVE-2016-7634
CVSS
MEDIUM 4.6
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

iPhone and iOS administrators, enterprise mobile-device teams, and users who rely on Accessibility features in environments where privacy matters. It is most relevant when devices are used around other people who could hear spoken passwords.

Technical summary

The NVD record classifies this issue as CVE-200 disclosure (CWE-200) with a CVSS 3.0 vector of AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The CVE description says iOS before 10.2 is affected, while the NVD CPE metadata specifically lists Apple iPhone OS versions up to 10.1.1. The core issue is in the Accessibility component accepting spoken passwords without considering local audibility.

Defensive priority

Medium. The impact is limited to confidentiality and requires physical proximity, but the exposed data can be highly sensitive. Prioritize remediation for shared, public, and enterprise-managed devices.

Recommended defensive actions

  • Upgrade affected iOS devices to a vendor-fixed release at or above the remediation point identified by Apple.
  • Review and minimize use of spoken-password or voice-input workflows in places where nearby listeners are a concern.
  • Prefer password entry methods that do not emit sensitive information audibly when Accessibility options permit safer alternatives.
  • For managed devices, verify compliance with the Apple security advisory and confirm all affected versions are removed from service.
  • Communicate the risk to users who rely on Accessibility features so they can adjust their authentication behavior in public or shared spaces.

Evidence notes

Source corpus indicates Apple as the vendor and iOS as the affected product family. The CVE description states that iOS before 10.2 is affected and that the Accessibility component accepts spoken passwords without considering local audibility. NVD metadata provides a vulnerable CPE range for Apple iPhone OS ending at 10.1.1, a CVSS 3.0 vector of AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and CWE-200. References in the record include Appleā€™s security advisory page (support.apple.com/HT207422), plus SecurityFocus and SecurityTracker entries.

Official resources

Publicly disclosed; the CVE was published on 2017-02-20. Use the published date for timing context, not the later modified date.