Analysis Summary

Apple has issued an urgent security advisory regarding three critical zero-day vulnerabilities—CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085—that have been actively exploited in sophisticated attacks. These vulnerabilities impact a broad range of Apple devices, including iPhones, iPads, Macs, Apple Watches, Apple TVs, and Vision Pro. The first vulnerability, CVE-2025-24200, is an authorization flaw that allows attackers with physical access to a locked device to disable USB Restricted Mode, a security feature designed to prevent unauthorized data extraction. This issue, discovered by Bill Marczak of The Citizen Lab, poses a significant risk to high-profile targets, as it has been exploited in targeted attacks.

The second vulnerability, CVE-2025-24201, is an out-of-bounds write issue in WebKit, the browser engine behind Safari and many iOS applications. It enables attackers to execute maliciously crafted web content to escape the Web Content sandbox, potentially leading to broader system compromise. Apple acknowledges that this flaw is a supplementary fix for an attack that was blocked in iOS 17.2 but was still exploited on older versions. The third zero-day, CVE-2025-24085, is a use-after-free vulnerability in the CoreMedia component, which could allow a malicious application to escalate privileges. This flaw affects multiple Apple operating systems, including iOS, iPadOS, macOS, watchOS, tvOS, and visionOS, and has been actively exploited in older versions of iOS before iOS 17.2.

Apple has responded swiftly by releasing security patches across its entire ecosystem. Users are strongly advised to update their devices immediately by navigating to Settings > General > Software Update and installing the latest versions: iOS/iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, and visionOS 2.3. Enabling automatic updates is also recommended to ensure continuous protection against emerging threats. The severity of these vulnerabilities varies, with CVE-2025-24201 carrying the highest risk (CVSS 8.1), followed by CVE-2025-24085 (CVSS 7.8) and CVE-2025-24200 (CVSS 6.1).

To further mitigate the risk of exploitation, users should avoid installing untrusted applications, enable Lockdown Mode on compatible devices to reduce attack surfaces, and stay alert for future security updates. These zero-days highlight the growing sophistication of cyber threats targeting Apple’s ecosystem, underscoring the need for constant vigilance and proactive cybersecurity measures. While Apple’s swift response demonstrates its commitment to security, users must remain proactive in updating their devices and adhering to best security practices.

Impact

• Privilege Escalation
• Code Execution
• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-24200

• CVE-2025-24201

• CVE-2025-24085

Affected Vendors

Remediation

• Upgrade to the latest version, available from the Apple security document.

CVE-2025-24200

CVE-2025-24201

CVE-2025-24085

• Update Devices Immediately:
• Go to Settings > General > Software Update and turn on automatic updates to receive security patches as soon as they are available.
• Only download apps from the official Apple App Store to prevent installing malicious software.
• Activating Lockdown Mode on supported devices can reduce exposure to sophisticated cyber threats.
• Regularly check for unusual behavior on your device, such as unexpected crashes, excessive battery drain, or unauthorized access attempts.
• Avoid clicking on untrusted links or opening email attachments from unknown sources, as CVE-2025-24201 exploits malicious web content.
• Enable two-factor authentication (2FA) for Apple ID and critical accounts.
• Use strong, unique passwords for all accounts.
• Keep device backups to prevent data loss in case of a compromise.