The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability in Apple iOS and iPadOS, tracked as CVE-2025-24200, being actively exploited in targeted attacks.
The flaw, an authorization bypass in Apple’s USB Restricted Mode, enables attackers with physical access to disable security protections on locked devices, potentially exposing sensitive data.
Vulnerability Details and Exploitation
CVE-2025-24200, cataloged under CWE-863 (Incorrect Authorization), resides in the state management of USB Restricted Mode—a security feature introduced in iOS 11.4.1 to block USB communication with accessories if the device remains locked for over an hour.
Attackers exploiting this flaw can circumvent these restrictions, granting unauthorized access to data extraction tools typically used by law enforcement or malicious actors.
Apple confirmed the vulnerability was leveraged in “extremely sophisticated” attacks against high-value individuals, though specifics about the threat actors remain undisclosed.
The exploit requires physical access to the device, classifying it as a cyber-physical attack vector. Security researchers, including Bill Marczak of the University of Toronto’s Citizen Lab, identified the flaw and reported it to Apple.
Citizen Lab has a history of uncovering advanced surveillance campaigns, suggesting state-sponsored groups may be behind the exploitation.
Affected Devices and Mitigation
The vulnerability impacts a broad range of Apple devices, including:
- iPhone XS and later models
- iPad Pro 12.9-inch (2nd generation and later)
- iPad Air (3rd generation and later)
- iPad mini (5th generation and later)
Apple released emergency patches on February 10, 2025, via iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 for older models.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, advising users to patch the issue before March 5, 2025.
While Apple has not linked the exploits to specific surveillance vendors, the sophistication aligns with tactics employed by firms like NSO Group, whose Pegasus spyware has historically exploited similar vulnerabilities.
The company’s transparency report notes its tools are sold to 54 government clients across 31 countries, raising concerns about misuse against journalists, activists, and politicians.
Recommendations
Users should immediately install the latest iOS/iPadOS updates via Settings > General > Software Update and enable automatic updates. Organizations reliant on Apple devices for sensitive operations should enforce physical security protocols to deter unauthorized access.