Full Report
Apple has released a series of critical security updates to address vulnerabilities that were actively exploited as zero-day threats. These updates include backported patches for older versions of iOS, iPadOS, macOS, and watchOS, aiming to secure devices that may still be running outdated software. A key focus of these updates is the backporting of zero-day patches to older devices, reflecting the ongoing efforts to mitigate risks across a broad range of hardware. Notable vulnerabilities include CVE-2025-24200 and CVE-2025-24201, both of which were actively exploited before patches were issued. Backporting Zero-Day Fixes The vulnerability CVE-2025-24200 allowed mobile forensic tools to bypass the USB Restricted Mode on locked devices, a feature designed to prevent unauthorized data access via USB ports. This flaw was addressed with the release of iOS 18.3.1, iPadOS 18.3.1, and macOS 17.7.5 on February 10, 2025, with backports provided for older versions such as iOS 16.7.11 and iPadOS 16.7.11. Similarly, CVE-2025-24201, which affected the WebKit engine, enabled attackers to break out of the Web Content sandbox through specially crafted web content. This vulnerability was exploited in several attacks, prompting company to release fixes in iOS 18.3.2, iPadOS 18.3.2, and macOS Sequoia 15.3.2 on March 11, 2025. Older devices received updates through versions like iOS 16.7.11 and corresponding macOS releases. Apple Addresses Other Vulnerabilities and Fixes In addition to the zero-day flaws, Apple addressed CVE-2025-24085, a privilege escalation issue within the Core Media framework. This vulnerability was patched in the January 2025 updates for iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, and tvOS 18.3, with backports available in iPadOS 17.7.6 and macOS Sonoma 14.7.5. The updates also cover a range of other security flaws across various system components, including Safari, CoreAudio, Maps, Calendar, and more. These patches aim to enhance the overall security posture of company’s ecosystem, addressing risks that could lead to data breaches, system crashes, or unauthorized access. Security Content of Latest Updates The latest update, watchOS 11.4, released on April 1, 2025, targets vulnerabilities affecting the Apple Watch Series 6 and later. Key fixes include CVE-2025-24097, which addresses a permissions issue with AirDrop, and CVE-2025-24244, a flaw in font processing that could lead to memory disclosure. Authentication services have also been fortified, with patches for issues like CVE-2025-30430, which could allow attackers to bypass password autofill restrictions, and CVE-2025-24180, which affected WebAuthn credentials across websites with similar suffixes. Other security enhancements cover audio-related vulnerabilities, such as CVE-2025-24243, which addressed a flaw in processing malicious font files capable of triggering arbitrary code execution. Conclusion The release of these security updates highlights the critical role of timely patching in addressing vulnerabilities, particularly zero-day threats like CVE-2025-24200 and CVE-2025-24201. By backporting fixes to older devices, company aims to provide broader protection, though the effectiveness of such measures relies heavily on user promptness in applying updates.
Analysis Summary
# Vulnerability: Zero-Day Flaws in Multiple Apple Products with Backported Patches
## CVE Details
This summary covers several vulnerabilities patched by Apple, including two zero-days mentioned as CVE-2025-24200 and CVE-2025-24201.
* **CVE ID:** CVE-2025-24097
* **CVSS Score:** Not specified (N/A)
* **CWE:** Permissions issue (AirDrop) / Memory disclosure (Font Processing) / Vulnerability allowing password autofill bypass / WebAuthn credential flaw.
*Specific Scores/CWEs for all mentioned CVEs were not provided in detail, only the general product/component impacts.*
## Affected Systems
* **Products:** Apple Devices (General) including iPhone, iPad, macOS, watchOS.
* Specifically mentioned components: AirDrop, Font Processing, Authentication Services (password autofill), WebAuthn, CoreAudio, Maps, Calendar, Safari.
* **Versions:**
* vulnerable devices receiving backported patches are implied to be older models no longer on the latest main release lines (e.g., receiving updates alongside iPadOS 17.7.6 and macOS Sonoma 14.7.5).
* watchOS 11.4 is specifically mentioned as fixing CVE-2025-24097 and CVE-2025-24244, affecting **Apple Watch Series 6 and later**.
* **Configurations:** Flaws related to AirDrop permissions, font processing, authentication services, and WebAuthn credential comparison logic.
## Vulnerability Description
Apple released significant security updates, backporting zero-day patches (CVE-2025-24200 and CVE-2025-24201) to older devices. The updates address several flaws across system components:
1. **CVE-2025-24097 (watchOS):** An issue related to AirDrop permissions.
2. **CVE-2025-24244 (watchOS):** A flaw in font processing that could lead to memory disclosure.
3. **CVE-2025-30430:** A vulnerability allowing attackers to potentially bypass password autofill restrictions in authentication services.
4. **CVE-2025-24180:** A flaw affecting WebAuthn credentials functionality when websites utilize similar suffixes.
5. **CVE-2025-24243:** A font processing flaw capable of triggering arbitrary code execution when processing malicious font files.
## Exploitation
* **Status:** CVE-2025-24200 and CVE-2025-24201 are implied to be **exploited in the wild** as zero-day threats necessitating backported patches. Exploitation status for other listed CVEs is not specified but is assumed potentially high due to inclusion in critical updates.
* **Complexity:** Not specified, but zero-days often imply high complexity for initial discovery, though exploitation itself might vary.
* **Attack Vector:** Likely varied, potentially involving remote code execution (RCE) vectors from font processing/file handling or less severe vectors via AirDrop/WebAuthn.
## Impact
* **Confidentiality:** High (Potential for memory disclosure and unauthorized access through zero-day exploitation).
* **Integrity:** High (Potential for arbitrary code execution leading to system compromise).
* **Availability:** Medium to High (System crashes or unauthorized control could impact availability).
## Remediation
### Patches
Apple has released updates containing the fixes.
* Updates cover devices receiving patches backported to older hardware/OS lines, including **iPadOS 17.7.6** and **macOS Sonoma 14.7.5**.
* **watchOS 11.4** includes fixes for Apple Watch Series 6 and later.
### Workarounds
No specific technical workarounds were detailed in the provided text, underscoring the need for immediate patching due to zero-day risk.
## Detection
* **Indicators of Compromise:** Not explicitly detailed, but detection focuses on monitoring for suspicious activity related to AirDrop interactions, unexpected application behavior following file/font handling, or unauthorized code execution attempts.
* **Detection methods and tools:** Standard endpoint detection and response (EDR) tools capable of monitoring for unusual process behavior or kernel-level activity related to font rendering engines or system services handling external inputs (like AirDrop objects).
## References
* [Vendor Advisories]: Implied Apple Security Update Documentation (Link references specific update identifiers like `en-us/122376`).
* [Relevant links - defanged]:
* `thecyberexpress com/apple-backports-zero-day-patches/`
* `support apple com/en-us/122376`