On Monday, Apple released out-of-band security updates to address a security flaw in iOS and iPadOS that has been exploited in the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could allow a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber-physical attack.
This suggests that attackers require physical access to the device to exploit the flaw. Introduced in iOS 11.4.1, USB Restricted Mode prevents an Apple iOS and iPadOS device from communicating with a connected accessory if it has not been unlocked and connected to an accessory within the past hour.
Cybersecurity Implications
The feature is designed to prevent digital forensics tools like Cellebrite or GrayKey, which are mainly used by law enforcement agencies, from gaining unauthorized entry to a confiscated device and extracting sensitive data.
As is common with advisories of this nature, no further details about the security flaw are currently available. Apple has stated that the vulnerability was addressed with improved state management.
However, Apple acknowledged that it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
Security researcher Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School has been credited with discovering and reporting the flaw.
Affected Devices and Systems
The update is available for the following devices and operating systems:
- iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
- iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation.
Ongoing Security Concerns
The development follows a recent security fix for a use-after-free bug in the Core Media component (CVE-2025-24085), which was exploited against versions of iOS before iOS 17.2.
Zero-day vulnerabilities in Apple software have been primarily weaponized by commercial surveillanceware vendors to deploy sophisticated programs that can extract data from victim devices.
While these tools, such as NSO Group’s Pegasus, are marketed as “technology that saves lives” and a means to combat serious criminal activity, they have also been misused to spy on members of civil society.
NSO Group, for its part, has reiterated that Pegasus is not a mass surveillance tool and that it is licensed to “legitimate, vetted intelligence and law enforcement agencies.”
In its 2024 transparency report, the Israeli company stated that it serves 54 customers in 31 countries, of which 23 are intelligence agencies and another 23 are law enforcement agencies.