Full Report
Apple has patched a zero-day vulnerability being exploited in targeted attacks
Analysis Summary
# Vulnerability: Apple Zero-Day Flaw Allows Physical Attack to Bypass USB Restricted Mode
## CVE Details
- CVE ID: CVE-2025-24200
- CVSS Score: N/A (Severity is implied as high due to exploitation, but a formal score is not provided in the text)
- CWE: N/A (Authorization issue related to physical access)
## Affected Systems
- Products: Apple iPhone, Apple iPad
- Versions: Pre-iOS 18.3.1 and pre-iPadOS 18.3.1
- Configurations: Devices where USB Restricted Mode might be active but subject to a physical attack. Vulnerable devices include iPhone XS and later, and specific model ranges for iPad Pro, iPad Air, iPad, and iPad mini.
## Vulnerability Description
The vulnerability is an authorization issue discovered by Citizen Lab researcher Bill Marczak. It allows a physical attacker to disable USB Restricted Mode on a locked device. Disabling this mode grants an attacker full administrative access, enabling them to impersonate the owner and execute arbitrary software. The attack is described as "extremely sophisticated" and targeted.
## Exploitation
- Status: Exploited in the wild
- Complexity: Likely High (due to the requirement for a physical attack and the "extremely sophisticated" descriptor, though the required complexity to bypass the restriction itself is not detailed)
- Attack Vector: Physical
## Impact
- Confidentiality: High (Full admin access allows data exfiltration)
- Integrity: High (Ability to execute arbitrary software and impersonate the owner)
- Availability: Medium (Potential for device compromise/lockout, though the primary impact is access)
## Remediation
### Patches
- iOS 18.3.1
- iPadOS 18.3.1
### Workarounds
- Users are strongly urged to upgrade immediately. While physical access mitigation is difficult, the patch addresses the flaw.
## Detection
- Detection methods are not explicitly detailed, but the advisory implies that the primary detection method is monitoring for signs of sophisticated, targeted physical compromise.
## References
- Vendor advisories: Apple security release for iOS 18.3.1 and iPadOS 18.3.1 (Implied)
- Relevant links - defanged:
- hXXps://www.infosecurity-magazine.com/news/apple-update-extremely/
- hXXps://www.infosecurity-magazine.com/news/apple-issues-emergency-patches-for-more-zero-day-bugs/
- hXXps://www.infosecurity-magazine.com/news/apple-patches-two-zerodays-pegasus/
- hXXps://www.infosecurity-magazine.com/news/apple-patches-three-actively/
- hXXps://www.infosecurity-magazine.com/news/apple-boosts-spyware-alerts/