Apple yesterday released out-of-band security updates to address a security flaw in iOS & iPadOS that it observed has been exploited in the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorisation issue that could make it possible for a malicious player to disable USB Restricted Mode on a locked device as part of a cyber physical attack.
Physical Access
This suggests that the attackers require physical access to the device in order to exploit the flaw. Introduced in iOS 11.4.1, USB Restricted Mode prevents an Apple iOS & iPadOS device from communicating with a connected accessory if it has not been unlocked & connected to an accessory within the past hour.
The feature is seen as an attempt to prevent digital forensics tools like Cellebrite or GrayKey, which are mainly used by law enforcement agencies, from gaining unauthorised entry to a confiscated device and extracting sensitive data.
In line with security advisories of this sort, no other details about the security flaw are currently available. The iPhone maker said the vulnerability was addressed with improved state management.
Sophisticated Attack
However, Apple acknowledged that it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
Security researcher Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School has been credited with discovering & reporting the flaw.
The update is available for the following devices & operating systems –
- iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS & later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation & later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation & later, iPad 7th generation & later, & iPad mini 5th generation & later
- iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, & iPad 6th generation
Another Flaw
The development comes just weeks after Cupertino resolved another security flaw, a use-after-free bug in the Core Media component (CVE-2025-24085), that it revealed as having been exploited against versions of iOS before iOS 17.2.
Zero-days in Apple software have been primarily weaponized by commercial surveillance-ware vendors to deploy sophisticated programs that can extract data from victim devices.
While these tools, such as NSO Group’s Pegasus, are marketed as “technology that saves lives” & to combat serious criminal activity as a way to get around the so-called “Going Dark” problem, they have also been misused to spy on members of the civil society.
Mass Surveillance
NSO Group has reiterated that Pegasus is not a mass surveillance tool & that it is licensed to “legitimate, vetted intelligence & law enforcement agencies.”
In its transparency report for 2024, the Israeli company said it serves 54 customers in 31 countries, of which 23 are intelligence agencies & another 23 are law enforcement agencies.
