Summary
CVE‑2025‑24200 is an authorization flaw in Apple’s USB Restricted Mode that let physical attackers bypass protections on locked iPhones and iPads. It was exploited in highly targeted attacks. Apple fixed it in iOS 18.3.1, iPadOS 18.3.1, and 17.7.5; affected devices should be updated immediately.
Urgent Actions Required
- Update iOS to 18.3.1 and iPadOS to 18.3.1 or 17.7.5 immediately.
- Restrict physical access to affected devices until updates are applied.
- Enable additional device security features and monitor for any suspicious physical access attempts.
Which Systems Are Vulnerable to CVE‑2025‑24200?
Technical Overview
- Vulnerability Type: Authorization Bypass via USB Restricted Mode
- Affected Software/Versions
- iOS versions before 18.3.1
- iPadOS versions before 17.7.5 and before 18.3.1
- CVSS Score: 6.1
- CVSS Vector: v3.1
- Attack Vector: Physical
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
- Patch Availability: Yes, available
How Does the CVE‑2025‑24200 Exploit Work?
The attack typically follows these steps:
What Causes CVE‑2025‑24200?
Vulnerability Root Cause:
The flaw occurs because USB Restricted Mode doesn’t reliably keep its security state on locked devices. With physical access, an attacker can disrupt it and switch the protection off, weakening the USB block on locked devices.
How Can You Mitigate CVE‑2025‑24200?
If immediate patching is delayed or not possible:
- Restrict physical access to devices to prevent attackers from interacting with the USB port.
- Enable additional built-in device security features to strengthen protection while unpatched.
- Monitor for unusual or suspicious attempts to physically access or connect to the device.
- Apply strict device management policies to limit handling, connection, and use of USB accessories.
Which Assets and Systems Are at Risk?
Business-Critical Systems at Risk:
- Devices handling sensitive data where disabling USB Restricted Mode could expose stored information.
- Organizational devices with physical-access exposure, increasing the likelihood of unauthorized USB-based interaction.
- High-risk user devices, as exploitation has been linked to targeted attacks.
Exposure Level:
- Devices physically accessible to attackers, since exploitation requires direct device interaction.
- Unpatched environments where iOS/iPadOS updates are not yet deployed.
- Situations involving monitored individuals, as the vulnerability is reported to be used in selective, sophisticated attacks.
Will Patching CVE‑2025‑24200 Cause Downtime?
Patch application impact: Updating to iOS 18.3.1, iPadOS 18.3.1, or 17.7.5 is a standard software update with minimal downtime, limited to the reboot and install process.
How Can You Detect CVE‑2025‑24200 Exploitation?
Exploitation Signatures:
- Signs of unexpected physical access attempts to a locked device
- Unusual activity around the USB port on devices with USB Restricted Mode enabled
- Device shows USB Restricted Mode disabling without the user unlocking it
MITRE ATT&CK Mapping:
Indicators of Compromise (IOCs/IOAs):
- USB Restricted Mode appearing disabled on a locked device without user action.
- Attempts to connect USB accessories or external hardware shortly after the device is locked.
- Activity suggesting the use of specialized forensic or hacking tools connected through the Lightning/USB-C port.
Behavioral Indicators:
- The device remains locked, but USB data access becomes possible.
- USB Restricted Mode does not activate after the expected timeout.
- Repeated or abnormal physical connection attempts to the device.
Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- Attempts to connect USB data-capable hardware to locked devices.
- Any change in USB Restricted Mode state on managed devices.
- Anomalous physical access patterns during periods when the device should not be handled.
Remediation & Response
Incident Response Considerations:
- Identify devices that show signs of USB Restricted Mode being disabled while locked, especially in sensitive environments.
- Review whether any device experienced unexpected physical access attempts near the time of suspected exploitation.
- Prioritize updating devices belonging to individuals at higher risk of targeted attacks, as the vulnerability is reported to have been exploited in extremely sophisticated scenarios.
- After patching, confirm USB Restricted Mode behaves normally and cannot be turned off without unlocking the device.
Where Can I Find More Information on CVE‑2025‑24200?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 6.1 | Medium-severity vulnerability indicating significant impact on confidentiality and integrity when physical access is obtained |
| Attack Vector | Physical | Exploitation requires physical access to the affected system |
| Attack Complexity | Low | No special conditions or advanced techniques needed |
| Privileges Required | None | The attacker does not need any existing access rights |
| User Interaction | None | No user involvement is required for the attack to succeed |
| Scope | UnChanged | The impact remains confined to the vulnerable component. |
| Confidentiality Impact | High | Successful exploitation can expose sensitive information |
| Integrity Impact | High | Vulnerability allows unauthorized alteration of data |
| Availability Impact | None | No impact on system uptime or service availability |
