Apple on Monday launched out-of-band safety updates to handle a safety flaw in iOS and iPadOS that it mentioned has been exploited within the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization factor that might make it imaginable for a malicious actor to disable USB Limited Mode on a locked tool as a part of a cyber bodily assault.
This implies that the attackers require bodily get entry to to the tool in an effort to exploit the flaw. Offered in iOS 11.4.1, USB Limited Mode prevents an Apple iOS and iPadOS tool from speaking with a hooked up accent if it has no longer been unlocked and hooked up to an adjunct throughout the previous hour.
The function is noticed as an try to save you virtual forensics gear like Cellebrite or GrayKey, that are principally utilized by regulation enforcement businesses, from gaining unauthorized access to a confiscated tool and extracting delicate information.
Consistent with advisories of this type, no different information about the protection flaw are lately to be had. The iPhone maker mentioned the vulnerability used to be addressed with advanced state control.
On the other hand, Apple said that it is “acutely aware of a record that this factor could have been exploited in a particularly refined assault in opposition to particular focused folks.”
Safety researcher Invoice Marczak of The Citizen Lab at The College of Toronto’s Munk College has been credited with finding and reporting the flaw.
The replace is to be had for the next units and running programs –
- iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Professional 13-inch, iPad Professional 12.9-inch third technology and later, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad seventh technology and later, and iPad mini fifth technology and later
- iPadOS 17.7.5 – iPad Professional 12.9-inch 2d technology, iPad Professional 10.5-inch, and iPad sixth technology
The improvement comes weeks after Cupertino resolved every other safety flaw, a use-after-free computer virus within the Core Media part (CVE-2025-24085), that it printed as having been exploited in opposition to variations of iOS earlier than iOS 17.2.
0-days in Apple device were basically weaponized by way of business surveillanceware distributors to deploy refined techniques that may extract information from sufferer units.
Whilst those gear, comparable to NSO Crew’s Pegasus, are advertised as “generation that saves lives” and fight severe criminality with the intention to get across the so-called “Going Darkish” drawback, they’ve additionally been misused to secret agent on contributors of the civil society.
NSO Crew, for its section, has reiterated that Pegasus isn’t a mass surveillance software and that it is approved to “reliable, vetted intelligence and regulation enforcement businesses.”
In its transparency record for 2024, the Israeli corporate mentioned it serves 54 shoppers in 31 international locations, of which 23 are intelligence businesses and every other 23 are regulation enforcement businesses.