Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

February 11, 2025

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild.

Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack.

This suggests that the attackers require physical access to the device in order to exploit the flaw. Introduced in iOS 11.4.1, USB Restricted Mode prevents an Apple iOS and iPadOS device from communicating with a connected accessory if it has not been unlocked and connected to an accessory within the past hour.

The feature is seen as an attempt to prevent digital forensics tools like Cellebrite or GrayKey, which are mainly used by law enforcement agencies, from gaining unauthorized entry to a confiscated device and extracting sensitive data.

In line with advisories of this kind, no other details about the security flaw are currently available. The iPhone maker said the vulnerability was addressed with improved state management.

However, Apple acknowledged that it's "aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."

Security researcher Bill Marczak of The Citizen Lab at The University of Toronto's Munk School has been credited with discovering and reporting the flaw.

The update is available for the following devices and operating systems -

iOS 18.3.1 and iPadOS 18.3.1 - iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
iPadOS 17.7.5 - iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

The development comes weeks after Cupertino resolved another security flaw, a use-after-free bug in the Core Media component (CVE-2025-24085), that it revealed as having been exploited against versions of iOS before iOS 17.2.

Zero-days in Apple software have been primarily weaponized by commercial surveillanceware vendors to deploy sophisticated programs that can extract data from victim devices.

While these tools, such as NSO Group's Pegasus, are marketed as "technology that saves lives" and combat serious criminal activity as a way to get around the so-called "Going Dark" problem, they have also been misused to spy on members of the civil society.

NSO Group, for its part, has reiterated that Pegasus is not a mass surveillance tool and that it's licensed to "legitimate, vetted intelligence and law enforcement agencies."

In its transparency report for 2024, the Israeli company said it serves 54 customers in 31 countries, of which 23 are intelligence agencies and another 23 are law enforcement agencies.