Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack.
This suggests that the attackers require physical access to the device in order to exploit the flaw. Introduced in iOS 11.4.1, USB Restricted Mode prevents an Apple iOS and iPadOS device from communicating with a connected accessory if it has not been unlocked and connected to an accessory within the past hour.
The feature is seen as an attempt to prevent digital forensics tools like Cellebrite or GrayKey, which are mainly used by law enforcement agencies, from gaining unauthorized entry to a confiscated device and extracting sensitive data.
In line with advisories of this kind, no other details about the security flaw are currently available. The iPhone maker said the vulnerability was addressed with improved state management.
However, Apple acknowledged that it's "aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."
Security researcher Bill Marczak of The Citizen Lab at The University of Toronto's Munk School has been credited with discovering and reporting the flaw.
The update is available for the following devices and operating systems -
- iOS 18.3.1 and iPadOS 18.3.1 - iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- iPadOS 17.7.5 - iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
The development comes weeks after Cupertino resolved another security flaw, a use-after-free bug in the Core Media component (CVE-2025-24085), that it revealed as having been exploited against versions of iOS before iOS 17.2.
Zero-days in Apple software have been primarily weaponized by commercial surveillanceware vendors to deploy sophisticated programs that can extract data from victim devices.
While these tools, such as NSO Group's Pegasus, are marketed as "technology that saves lives" and combat serious criminal activity as a way to get around the so-called "Going Dark" problem, they have also been misused to spy on members of the civil society.
NSO Group, for its part, has reiterated that Pegasus is not a mass surveillance tool and that it's licensed to "legitimate, vetted intelligence and law enforcement agencies."
In its transparency report for 2024, the Israeli company said it serves 54 customers in 31 countries, of which 23 are intelligence agencies and another 23 are law enforcement agencies.
Over 12,000 KerioControl firewalls exposed to exploited RCE flaw
Protecting Your Software Supply Chain: Assessing the Risks Before Deployment
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
HighCWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
LowCWE-641 Improper Restriction of Names for Files and Other Resources
HighCWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-595 Comparison of Object References Instead of Object Contents
Free online web security scanner