CVE-2025-24200 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-02-10

Added to CISA KEV: 2025-02-12 2 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Look for signs of unauthorized USB access or device tampering
Immediately update to iOS 18.3.1, iPadOS 18.3.1, or iPadOS 17.7.5
Review device access logs if available and check for unauthorized data extraction
Implement physical security controls for high-value targets who may be subject to sophisticated attacks
Consider additional endpoint detection and monitoring for targeted individuals

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-24200 is a high-severity authorization vulnerability in Apple’s iOS and iPadOS that was identified as being actively exploited in the wild ^[1].

Overview and Impact

Nature of Vulnerability: The flaw involves an authorization issue stemming from improper state management ^[1].
Impact: Successful exploitation allows an attacker to disable "USB Restricted Mode" on a locked device ^[1]. This bypasses critical hardware security restrictions, potentially enabling unauthorized access or privilege escalation on the affected device ^[1].

Exploitation and Threat Activity

Active Exploitation: The vulnerability has been confirmed as actively exploited in the wild and was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog on February 12, 2025 ^[2] ^[1].
Threat Actor Usage: Apple has acknowledged reports indicating that this vulnerability may have been used in "extremely sophisticated" attacks targeting specific individuals ^[1].
Attack Method: The attack vector is classified as physical ^[1]. Because it involves disabling USB-based restrictions on a locked device, it requires physical access to the target hardware.

Affected Versions and Mitigation

Patch Status: This issue has been addressed by Apple. Users are strongly advised to update their devices to the latest available versions to mitigate the risk.
Affected/Fixed Versions: The vulnerability was resolved in several releases, including:

* iOS 15.8.4 and iPadOS 15.8.4?id=CVE-2025-24200?kagi_q=CVE-2025-24200+details * iOS 16.7.11?id=CVE-2025-24200?kagi_q=CVE-2025-24200+details * iPadOS 17.7.5, iOS 18.3.1, and iPadOS 18.3.1 ^[3]

There is no widespread evidence suggesting this vulnerability is being used in broad, automated ransomware campaigns; rather, the evidence points to highly targeted, sophisticated operations ^[1].

Sources

CVE-2025-24200 - Vulnerability Details - OpenCVE
An authorization issue in Apple’s iOS and iPadOS systems was detected, where improper state management could allow an attacker to disable the USB Restricted Mode on a locked device. This flaw could enable the attacker to bypass hardware restrictions and potentially gain unauthorized access or elevat…
NVD - CVE-2025-24200
Reference Type. CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24200 Types: US Government Resource.CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/12/2025 9:00:01 PM. Action. ... Description. An auth…
CVE-2025-24200 - GitHub Advisory Database
High severity Unreviewed Published on Feb 10, 2025 to the GitHub Advisory Database • Updated 2 days ago ... An authorization issue was addressed with improved state management. This issue is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1.