PatchSiren cyber security CVE debrief

CVE-2016-7664 Apple CVE debrief

CVE-2016-7664 is a low-severity Apple iOS information disclosure issue involving the Accessibility component on the lockscreen. According to the supplied record, a physically proximate attacker could leverage excessive lockscreen options to obtain sensitive photo and contact information on affected devices running iOS before 10.2.

Vendor: Apple
Product: CVE-2016-7664
CVSS: LOW 2.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-20
Original CVE updated: 2026-05-13
Advisory published: 2017-02-20
Advisory updated: 2026-05-13

Who should care

Organizations and individuals that managed or used Apple iOS devices before 10.2, especially where devices may be left unattended or accessible to nearby people. Mobile security, endpoint management, and help desk teams should also care because the issue involves lockscreen exposure of user data.

Technical summary

The supplied source corpus describes an issue in iOS Accessibility handling that allowed more lockscreen options than intended, creating an information disclosure path. The impact is limited to confidentiality: sensitive photo and contact information may be exposed. NVD maps the weakness to CWE-200 and classifies the attack vector as physical proximity (AV:P), consistent with the need for an attacker near the device. The record also lists vulnerable iPhone OS versions through 10.1.1, while the CVE description states iOS before 10.2; both point to pre-10.2 devices being affected.

Defensive priority

Medium for exposed or unmanaged legacy iOS devices; otherwise low. The CVSS score is 2.4 (LOW), but it still matters for privacy-sensitive environments or devices likely to be accessed physically by unauthorized people.

Recommended defensive actions

Update affected Apple devices to iOS 10.2 or later, using the vendor guidance referenced in the Apple advisory.
Review lockscreen and Accessibility-related settings on deployed devices to minimize information exposed without unlock.
Apply mobile device management policies that reduce local data exposure on older devices that cannot be updated.
If legacy devices remain in service, treat them as higher-risk for shoulder-surfing or hands-on access scenarios and restrict physical access accordingly.
Use the Apple vendor advisory and NVD record to confirm affected version scope before remediation planning.

Evidence notes

The CVE description states that iOS before 10.2 is affected and that physically proximate attackers could obtain sensitive photo and contact information via excessive lockscreen options in Accessibility. NVD further classifies the weakness as CWE-200 and lists a vulnerable iPhone OS range ending at 10.1.1, which is slightly narrower than the description but consistent with pre-10.2 exposure. Published and modified dates are taken from the supplied CVE/NVD record and should not be treated as incident dates.

Official resources

CVE-2016-7664 CVE record
CVE.org
CVE-2016-7664 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the supplied CVE record on 2017-02-20. The record was later modified on 2026-05-13; that modified timestamp reflects catalog updates, not the underlying vulnerability date.