Apple has released an out-of-band security update to address a critical vulnerability, CVE-2025-24200, in iOS and iPadOS. The flaw, which involves an authorization issue, could allow a malicious actor to disable USB Restricted Mode on a locked device. This would enable the attacker to bypass protections that prevent unauthorized access to data when a device is connected to an accessory without being unlocked. To exploit the flaw, the attacker would need physical access to the device, suggesting the vulnerability is limited to cyber-physical attacks.
USB Restricted Mode, introduced in iOS 11.4.1, is designed to block access to devices that have not been unlocked and connected to accessories in the past hour. The feature was specifically created to thwart digital forensics tools like Cellebrite and GrayKey, commonly used by law enforcement to extract data from confiscated devices. Apple has confirmed that the vulnerability was exploited in an attack against specific individuals, though they did not provide further details about the incident or the targeted parties.
The security update, which includes improved state management, has been rolled out for a wide range of devices, including the iPhone XS and later, iPad Pro 13-inch, iPad Air 3rd generation, and iPad 7th generation. Affected users can download iOS 18.3.1 or iPadOS 18.3.1, depending on their device. This update comes shortly after Apple addressed another security flaw, CVE-2025-24085, which was a use-after-free bug found in the Core Media component.
Zero-day vulnerabilities in Apple’s software are often weaponized by commercial surveillance vendors to deploy sophisticated surveillance tools.
Security researcher Bill Marczak from The Citizen Lab at the University of Toronto discovered the vulnerability and reported it to Apple. The company has acknowledged the issue and the potential exploitation but has not disclosed further specifics about the attack. This incident highlights the increasing concerns around the use of surveillance tools such as NSO Group’s Pegasus, which is marketed for legitimate intelligence purposes but has been misused for mass surveillance of civil society members. Despite the controversy surrounding these tools, NSO Group maintains that they are intended only for use by vetted intelligence and law enforcement agencies.
