Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200)

Users of iPhones and iPads that run iOS/iPadOS 18 and iPadOS 17 are urged to implement the latest updates to plug a security feature bypass vulnerability (CVE-2025-24200) exploited in the wild in “an extremely sophisticated” attack.

The vulnerability (CVE-2025-24200)

“A physical attack may disable USB Restricted Mode on a locked device,” Apple explained.

USB Restricted Mode is a feature Apple introduced in 2018 to protect users against device unlocking (“cracking”) tools such as Graykey, usually at the hands of law enforcement.

These tools get connected to target devices via USB and can bypass passcode-based protection/encryption to extract data. USB Restricted Mode prevents them from accessing the data through this connection if iPhones and iPads haven’t been unlocked for over an hour.

CVE-2025-24200 stems from an authorization issue that has been solved with improved state management.

The security updates are available for:

• iPhone XS and later
• iPad Pro 13-inch
• iPad Pro 12.9-inch 3rd generation and later
• iPad Pro 11-inch 1st generation and later
• iPad Air 3rd generation and later
• iPad 7th generation and later
• iPad mini 5th generation and later
• iPad Pro 12.9-inch 2nd generation
• iPad Pro 10.5-inch, and
• iPad 6th generation.

The attack

“Apple is aware of a report that [CVE-2025-24200] may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said.

The wording is pretty unusual for Apple but, unfortunately, no other details about the attack have been made available. There has also been no mention of whether the attack can be thwarted by Apple’s Lockdown Mode.

CVE-2025-24200 was flagged by Bill Marczak, a senior researcher with The Citizen Lab at The University of Toronto’s Munk School.

The Citizen Lab is known for aiding political dissidents, civil society activists and journalists who suspect that their devices have been compromised with commercial spyware such as NSO Group’s Pegasus and Intellexa’s Predator.

Their activities often lead them to discover and report zero-day vulnerabilities exploited by this malicious software.

Read more:

• The fight against commercial spyware misuse is heating up
• How widespread is mercenary spyware? More than you think

I have read and agree to the terms & conditions

Leave this field empty if you're human: