Apple on Monday launched out-of-band safety updates to handle a safety flaw in iOS and iPadOS that it mentioned has been exploited within the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization subject that might make it potential for a malicious actor to disable USB Restricted Mode on a locked machine as a part of a cyber bodily assault.
This implies that the attackers require bodily entry to the machine with the intention to exploit the flaw. Launched in iOS 11.4.1, USB Restricted Mode prevents an Apple iOS and iPadOS machine from speaking with a linked accent if it has not been unlocked and linked to an adjunct inside the previous hour.
The characteristic is seen as an try to forestall digital forensics instruments like Cellebrite or GrayKey, that are primarily utilized by regulation enforcement businesses, from gaining unauthorized entry to a confiscated machine and extracting delicate knowledge.
According to advisories of this sort, no different particulars concerning the safety flaw are presently obtainable. The iPhone maker mentioned the vulnerability was addressed with improved state administration.
Nevertheless, Apple acknowledged that it is “conscious of a report that this subject could have been exploited in an especially refined assault in opposition to particular focused people.”
Safety researcher Invoice Marczak of The Citizen Lab at The College of Toronto’s Munk Faculty has been credited with discovering and reporting the flaw.
The replace is obtainable for the next gadgets and working programs –
- iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Professional 13-inch, iPad Professional 12.9-inch third era and later, iPad Professional 11-inch 1st era and later, iPad Air third era and later, iPad seventh era and later, and iPad mini fifth era and later
- iPadOS 17.7.5 – iPad Professional 12.9-inch 2nd era, iPad Professional 10.5-inch, and iPad sixth era
The event comes weeks after Cupertino resolved one other safety flaw, a use-after-free bug within the Core Media element (CVE-2025-24085), that it revealed as having been exploited in opposition to variations of iOS earlier than iOS 17.2.
Zero-days in Apple software program have been primarily weaponized by business surveillanceware distributors to deploy refined packages that may extract knowledge from sufferer gadgets.
Whereas these instruments, equivalent to NSO Group’s Pegasus, are marketed as “expertise that saves lives” and fight critical legal exercise as a strategy to get across the so-called “Going Darkish” downside, they’ve additionally been misused to spy on members of the civil society.
NSO Group, for its half, has reiterated that Pegasus shouldn’t be a mass surveillance device and that it is licensed to “professional, vetted intelligence and regulation enforcement businesses.”
In its transparency report for 2024, the Israeli firm mentioned it serves 54 prospects in 31 nations, of which 23 are intelligence businesses and one other 23 are regulation enforcement businesses.