Full Report
Apple has also fixed vulnerabilities in iPadOS 17.7.6, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5, as well as its recently released iOS 18.4.
Analysis Summary
# Vulnerability: Critical Zero-Days in Apple iOS/iPadOS Targeting Physical Access Bypass and Sandbox Escape
## CVE Details
- CVE ID: CVE-2025-24200, CVE-2025-24201 (CVE-2025-24085 mentioned but no details provided in excerpt)
- CVSS Score: Not explicitly provided in excerpt, but described as "Critical" and actively exploited.
- CWE: Not explicitly provided in excerpt beyond technical description.
## Affected Systems
- **Products:** iOS, iPadOS, macOS, visionOS (Patches listed for iOS/iPadOS, macOS; WebKit vulnerability mentioned affecting other Apple products via WebKit dependency).
- **Versions:**
* **CVE-2025-24200:** Older versions of iOS/iPadOS that did not have the February 10 fix (iOS 18.3.1/iPadOS 18.3.1, etc.).
* **CVE-2025-24201:** Older versions of iOS/iPadOS that did not have previous mitigations deployed in iOS 17.2 or iOS 18.3.2.
- **Configurations:**
* **CVE-2025-24200:** Devices with USB Restricted Mode enabled, requiring physical attacker access.
## Vulnerability Description
This summary highlights two critical vulnerabilities for which Apple issued retroactive patches for older software versions:
1. **CVE-2025-24200 (Physical Access Bypass):** Allows a physical attacker to disable USB Restricted Mode on a locked Apple device. USB Restricted Mode is designed to block unauthorized data access via USB after the device has been locked for over an hour.
2. **CVE-2025-24201 (Sandbox Escape):** A flaw within the WebKit rendering engine. It permits malicious code running within the constrained Web Content sandbox to escape its isolation boundaries and potentially compromise broader system components.
## Exploitation
- **Status:** Explicitly stated that CVE-2025-24200 “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” suggesting **Exploited in the wild**. CVE-2025-24201 also appears to be part of a sequence of fixes for previously exploited issues.
- **Complexity:** Implied **High** for CVE-2025-24200 due to the mention of "extremely sophisticated attack" targeting high-value individuals.
- **Attack Vector:**
* **CVE-2025-24200:** Local/Physical required.
* **CVE-2025-24201:** Network (via malicious content rendering, typically browser interaction).
## Impact
*Confidentiality, Integrity, and Availability* impacts are not explicitly detailed with CVSS metrics (High/Medium/Low), however:
* **CVE-2025-24200:** High likelihood of **Confidentiality** impact (data exfiltration bypassing lock screen protection) and potential **Integrity**/Availability impact if data modification or device lockout is possible post-bypass.
* **CVE-2025-24201:** High likelihood of **Confidentiality** and **Integrity** compromise due to successful sandbox escape leading to system compromise.
## Remediation
### Patches
Apple issued fixes in updates corresponding to the affected major/minor branches to retroactively address the vulnerabilities:
* **For CVE-2025-24200 & CVE-2025-24201:**
* iOS 16.7.11
* iPadOS 16.7.11
* iOS 15.8.4
* iPadOS 15.8.4
* (The article also notes fixes for macOS Sonoma 14.7.5, macOS Ventura 13.7.5, and newer iOS 18.4 versions addressing other undisclosed vulnerabilities).
### Workarounds
* No specific technical workarounds are mentioned, as the recommendation is immediate patching.
* **For CVE-2025-24200:** The initial defense was the USB Restricted Mode feature itself; confirming this feature is active on locked devices is key before patching.
## Detection
- Detection methods specific to these retroactive patches are not detailed.
- **Indicators of Compromise (General):** Sophisticated attacks on high-value targets might involve unexplained access to sensitive data or device behavior inconsistent with user actions, particularly if physical access was feasible (for CVE-2025-24200).
- **Detection Methods and Tools:** Standard endpoint detection and response (EDR) or system monitoring tools that track abnormal kernel/system calls or unexpected WebKit behavior might be relevant, but Apple documentation/Advisories should be checked for specific file hash/signature changes related to the patches.
## References
- Vendor Advisories: Apple Security Updates pages (links are present in the source article but defanged here):
* support dot apple dot com/en-us/122346 (Relevant to iOS 15.8.4/16.7.11)
- Relevant links:
* techrepublic dot com/article/news-apple-security-fixes-ios-15-16/ (Main article source)