Apple has released an emergency update to iOS and iPadOS to fix a serious zero-day vulnerability known as CVE-2025-24200. Attackers have exploited this flaw in real-world attacks, prompting Apple to act quickly.
Understanding CVE-2025-24200
This vulnerability involves an authorization issue that allows attackers to disable USB Restricted Mode on locked devices. Introduced in iOS 11.4.1, USB Restricted Mode prevents unauthorized access to a device’s data via connected accessories if the device has not been unlocked within the last hour. This feature helps block digital forensics tools, such as Cellebrite and GrayKey, which law enforcement often uses to extract sensitive information from seized devices.
Apple states that attackers need physical access to exploit this vulnerability. The company has not shared many details but mentioned that improved state management has mitigated the issue.
Targeted Attacks and Sophisticated Exploits
Apple knows that reports suggest attackers have used this vulnerability in sophisticated attacks against specific individuals. Security researcher Bill Marczak from The Citizen Lab at the University of Toronto discovered this flaw.
Affected Devices and Update Availability
The security update is available for the following devices and operating systems:
- iOS 18.3.1 and iPadOS 18.3.1: Compatible with iPhone XS and later, iPad Pro (13-inch, 12.9-inch 3rd generation and later, 11-inch 1st generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), and iPad mini (5th generation and later).
- iPadOS 17.7.5: Applicable to iPad Pro (12.9-inch 2nd generation, 10.5-inch) and iPad (6th generation).
This update follows a recent patch for another vulnerability (CVE-2025-24085), which involved a use-after-free bug in the Core Media component and also affected earlier iOS versions.
The Broader Implications of Zero-Day Vulnerabilities
Commercial surveillance vendors increasingly target zero-day vulnerabilities in Apple software. They deploy advanced tools to extract data from compromised devices. Vendors like NSO Group market tools such as Pegasus as essential for combating serious crime, but they can also misuse them for surveillance against civil society members.
NSO Group insists that Pegasus is not for mass surveillance and only licenses it to vetted intelligence and law enforcement agencies. In its 2024 transparency report, the company revealed that it serves 54 clients across 31 countries, including 23 intelligence agencies and 23 law enforcement bodies.
