Source: www.securityweek.com – Author: Ryan Naraine
Apple on Monday released an urgent patch for its flagship iOS and iPadOS platforms alongside a warning that a critical security flaw was actively exploited in the wild.
The security defect, tracked as CVE-2025-24200, allows attackers with physical access to a locked iPhone or iPad to disable USB Restricted Mode – a key protection mechanism – to access unpatched iPhones.
In a barebones advisory, Cupertino’s security response team confirmed the defect led to “an extremely sophisticated attack against specific targeted individuals.” The issue has been fixed in iOS 18.3.1 and iPadOS 18.3.1.
As is customary, the company did not release IOCs or any telemetry to help defenders hunt for signs of compromise. The discovery of the exploit was credited to Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School, suggesting the exploit was used for nation-state level surveillance.
USB Restricted Mode is a security feature designed to block data access via an iPhone or iPad’s Lightning/USB-C port when the device has been locked for over an hour. It was introduced to thwart hacking tools that connect via USB to crack a device’s passcode or extract data.
By disabling the data connection after 60 minutes of inactivity, iOS prevents devices like forensic “phone unlockers” from downloading data through the port – effectively turning the Lightning connector into a charge-only interface until the owner unlocks the phone or explicitly allows a USB accessory.
Apple described the flaw as an “authorization issue” in the operating system’s logic that could let a malicious device or technique turn off USB Restricted Mode without a passcode.
In practical terms, an attacker with physical possession of a locked phone could exploit this bug to re-enable the data port, defeating the one-hour lockout and clearing the way for further intrusion.
Advertisement. Scroll to continue reading.
Related: Apple Rolls-Out USB Restricted Mode in iOS
Related: Apple Patches First Exploited iOS Zero-Day of 2025
Related: New iOS Security Feature Reboots Devices to Protect User Data
Related: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem?
Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Daily Briefing Newsletter
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.
Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.
Original Post URL: https://www.securityweek.com/apple-confirms-usb-restricted-mode-exploited-in-extremely-sophisticated-attack/
Category & Tags: Malware & Threats,Nation-State,Apple,Citizen Lab,CVE-2025-24200,Featured,iOS,iOS 18.3.1,USB Restricted Mode – Malware & Threats,Nation-State,Apple,Citizen Lab,CVE-2025-24200,Featured,iOS,iOS 18.3.1,USB Restricted Mode
Views: 2
