Full Report
Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild. Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack. This
Analysis Summary
# Vulnerability: Authorization Flaw Allows Disabling of USB Restricted Mode on Locked iOS Devices
## CVE Details
- CVE ID: CVE-2025-24200
- CVSS Score: N/A (Score not provided in the source, deemed High severity due to active exploitation)
- CWE: Authorization Issue (Implied)
## Affected Systems
- Products: iOS, iPadOS
- Versions: All versions prior to the patched releases (specifically mentioned as introduced in iOS 11.4.1).
- Configurations: Locked devices where USB Restricted Mode is active.
## Vulnerability Description
This vulnerability is an authorization issue within iOS and iPadOS that could permit a malicious actor to disable USB Restricted Mode on a locked device. USB Restricted Mode, introduced in iOS 11.4.1, prevents communication with connected accessories if the device has not been unlocked within the last hour. Successful exploitation could allow unauthorized data extraction from confiscated devices, likely targeting law enforcement forensic tools like Cellebrite or GrayKey. Apple fixed the issue by implementing "improved state management."
## Exploitation
- Status: Actively exploited in the wild, described as an "extremely sophisticated attack against specific targeted individuals."
- Complexity: High (implied by the description of a "sophisticated attack" and the need for physical access).
- Attack Vector: Physical access required to connect the malicious accessory.
## Impact
- Confidentiality: High (Allows bypassing security features intended to prevent unauthorized data extraction after confiscation).
- Integrity: Unknown/Not primary focus.
- Availability: Unknown/Not primary focus.
## Remediation
### Patches
- **iOS 18.3.1** (For iPhone XS and later, and applicable iPads)
- **iPadOS 18.3.1** (For iPhone XS and later, and applicable iPads)
- **iPadOS 17.7.5** (For older supported models like iPad Pro 12.9-inch 2nd gen)
### Workarounds
No specific workarounds were listed other than applying the emergency patch. Users are strongly encouraged to update immediately due to active exploitation.
## Detection
- Detection methods and specific Indicators of Compromise (IOCs) were not detailed in the summary, as is common with active zero-days patched urgently. The primary detection indicator is the successful exploitation of USB Restricted Mode bypass on locked devices.
## References
- Vendor Advisory (iOS 18.3.1/iPadOS 18.3.1): hxxps://support.apple[.]com/en-us/122174
- Vendor Advisory (iPadOS 17.7.5): hxxps://support.apple[.]com/en-us/122173
- Article Source: hxxps://thehackernews[.]com/2025/02/apple-patches-actively-exploited-ios.html