CVE-2025-24200
Published: 10 February 2025
Description
Adversaries may attempt to exfiltrate data over a USB connected physical device.
Security Summary
CVE-2025-24200 is an authorization vulnerability (CWE-863: Incorrect Authorization) stemming from improper state management, affecting multiple versions of iOS and iPadOS. Specifically, it impacts iOS and iPadOS prior to iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, and iPadOS 17.7.5. The flaw enables a physical attack to disable USB Restricted Mode on a locked device, with a CVSS v3.1 base score of 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An attacker with physical access to the device can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation disables USB Restricted Mode while the device remains locked, potentially granting high-impact access to confidential data and enabling integrity modifications without affecting availability.
Apple's security advisories detail mitigations through updated firmware releases that address the state management issue, including iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5. Practitioners should prioritize patching affected devices, as referenced in Apple support documents such as https://support.apple.com/en-us/122173 and related updates.
Apple has noted awareness of a report indicating this issue may have been exploited in an extremely sophisticated attack targeting specific individuals.
Details
- CWE(s)
- KEV Date Added
- 12 February 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows physical attackers to disable USB Restricted Mode on a locked device, directly facilitating exfiltration of data over USB physical medium (T1052.001).