Analysis Summary

Apple has released an out-of-band security update to address CVE-2025-24200, a vulnerability in iOS and iPadOS that allows attackers to disable USB Restricted Mode on locked devices. This flaw, discovered by Researcher, requires physical access to the device and could be used in highly sophisticated cyber-physical attacks. USB Restricted Mode, introduced in iOS 11.4.1, prevents unauthorized data extraction by forensic tools like Cellebrite and GrayKey. Apple has patched the vulnerability through improved state management and urged users to update their devices immediately.

The security update is available for a range of Apple devices, including iPhone XS and later, various iPad Pro models, and older iPads running iPadOS 17.7.5. This follows Apple’s previous fix for CVE-2025-24085, a use-after-free bug in Core Media exploited in older iOS versions. These back-to-back zero-day vulnerabilities highlight the growing threats faced by Apple users, particularly from advanced cyberattacks targeting specific individuals. The lack of detailed public disclosures about CVE-2025-24200 suggests that it may be part of an ongoing investigation into high-profile cyber threats.

Zero-day exploits in Apple’s ecosystem have been frequently leveraged by commercial surveillance vendors to deploy sophisticated spyware. Companies like NSO Group market tools such as Pegasus as solutions for law enforcement and counterterrorism, but these technologies have also been abused to target journalists, activists, and political dissidents. The growing use of such tools raises concerns about privacy and the ethics of digital surveillance, especially as governments and private entities seek more invasive methods to bypass encryption and data protection.

NSO Group maintains that Pegasus is only sold to vetted intelligence and law enforcement agencies, claiming its software is not used for mass surveillance. In its 2024 transparency report, the company stated it serves 54 customers across 31 countries, evenly split between intelligence and law enforcement agencies. However, past reports have revealed that Pegasus has been used to spy on members of civil society, underscoring the broader risks posed by government surveillance tools and the ongoing battle between security researchers, vendors, and those seeking to exploit software vulnerabilities.

Impact

• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-24200

Affected Vendors

Remediation

• Upgrade to the latest version of iOS and iPadOS (17.7.5 or 18.3.1 or later), available from the Apple Website.
• Ensure the feature is activated in device settings to limit unauthorized access via USB accessories.
• Set a strong passcode and enable biometric authentication (Face ID or Touch ID) to prevent physical access exploitation.
• Regularly check for unauthorized access attempts or unexpected USB connections.
• Do not plug devices into untrusted USB ports or accessories, which may be used for exploitation.
• If a device is lost or stolen, use Apple’s Find My feature to lock it remotely and erase data if necessary.
• Stay Informed on Security Threats – Follow Apple’s security advisories and updates to stay aware of emerging threats and vulnerabilities.