Apple has released emergency security updates to patch a zero-day vulnerability that the company says was exploited in targeted and “extremely sophisticated” attacks.
“A physical attack may disable USB Restricted Mode on a locked device,” the company revealed in an advisory targeting iPhone and iPad users.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
USB Restricted Mode is a security feature (introduced almost seven years ago in iOS 11.4.1) that blocks USB accessories from creating a data connection if the device has been locked for over an hour. This feature is designed to block forensic software like Graykey and Cellebrite (commonly used by law enforcement) from extracting data from locked iOS devices.
In November, Apple introduced another security feature (dubbed “inactivity reboot”) that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software.
The zero-day vulnerability (tracked as CVE-2025-24200 and reported by Citizen Lab’s Bill Marczak) patched today by Apple is an authorization issue addressed in iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 with improved state management.
The list of devices this zero-day impacts includes:
- iPhone XS and later,
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
Even though this vulnerability was only exploited in targeted attacks, it is highly advised to install today’s security updates immediately to block potentially ongoing attack attempts.
While Apple has yet to provide more information about in-the-wild exploitation, Citizen Lab security researchers have often disclosed zero-days used in targeted spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.
Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064) that Apple fixed in emergency security updates in September 2023 and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group’s Pegasus commercial spyware.
Last month, Apple fixed this year’s first zero-day vulnerability (CVE-2025-24085) tagged as exploited in attacks against iPhone users.
In 2024, the company patched six actively exploited zero-days: the first in January, two in March, a fourth in May, and two more in November.
One year before, in 2023, Apple patched 20 zero-day flaws exploited in the wild, including:
Source link
-
-
-
-
-
-
-
-
