Apple zero day used in 'extremely sophisticated attack'
CVE-2025-24200 is a zero-day vulnerability that bypasses Apple's USB Restricted Mode in iPhones and iPads and was exploited in the wild against 'specific targeted individuals.'
Apple on Monday disclosed and patched CVE-2025-24200, a zero-day vulnerability affecting iOS devices that can disable Apple's USB Restricted Mode.
CVE-2025-24200 is an authorization vulnerability present in multiple generations and models of iPad and iPhone that was patched as part of Apple's iOS 18.3.1 and iPadOS 18.3.1 updates. Although details surrounding the flaw are sparse, Apple said exploitation of the flaw allows a physical attack on a locked device to disable USB Restricted Mode. The issue was addressed with improved state management, Apple said.
USB Restricted Mode is a security feature introduced in 2018 and enabled by default that activates when a user hasn't unlocked or connected their device to an accessory in the previous hour. On a support page, Apple describes it as follows:
"If you don't first unlock your passcode-protected device -- or you haven't unlocked and connected it to an accessory within the past hour -- your device won't communicate with the accessory or computer, and in some cases, it might not charge," the page read. "You might also see an alert asking you to unlock your device to use accessories."
Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) https://t.co/jcrsab7RGu pic.twitter.com/ER42QQcsLj
— Bill Marczak (@billmarczak) February 10, 2025
More significantly, Apple said it was "aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals." The tech giant did not specify the nature of said attack, crediting only Bill Marczak of The Citizen Lab at The University of Toronto's Munk School with the discovery of the vulnerability.
Devices patched against the flaw include iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Informa TechTarget contacted Apple and The Citizen Lab for additional information, but neither has responded at press time.
Though additional details on CVE-2025-24200 have not been shared, exploitation of several previous Apple zero-day flaws against targeted individuals are in line with activity from spyware vendors -- which exploit vulnerabilities in order to track and surveil targets -- and nation-state threat actors. The Citizen Lab regularly reports such vulnerabilities to Apple, and Marczak has spoken publicly about the challenges of fighting spyware vendors.
The problem -- which Apple calls "mercenary spyware" -- has become so pervasive that the company in 2022 introduced Lockdown Mode, an "extreme, optional" feature available on iOS devices that greatly reduces a user's attack surface at the cost of much of the device's functionality. Apple said the tool was for those "who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware."
Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.
