Apple has issued emergency security updates to patch a newly discovered zero-day vulnerability that was actively exploited in highly sophisticated and targeted attacks. The flaw, tracked as CVE-2025-24200, could allow an attacker to bypass USB Restricted Mode, a critical iOS security feature designed to block unauthorized data access on locked devices.
This zero-day was discovered and reported by Citizen Lab’s Bill Marczak, a researcher known for exposing spyware threats targeting high-risk individuals, including journalists, political dissidents, and activists. According to Apple’s security advisory, the vulnerability allows a physical attack to disable USB Restricted Mode on a locked iPhone or iPad, potentially exposing sensitive data.
What is USB Restricted Mode?
First introduced in iOS 11.4.1 nearly seven years ago, USB Restricted Mode is designed to prevent forensic tools like GrayKey and Cellebrite from extracting data from locked iOS devices. If an iPhone or iPad remains locked for over an hour, it blocks USB accessories from establishing a data connection—effectively stopping unauthorized data extraction.
To further enhance security, Apple introduced “inactivity reboot” in November 2024, which automatically restarts iPhones after long periods of inactivity, re-encrypting data and making forensic extraction even more difficult.
The vulnerability affects a wide range of Apple devices, including:
- iPhones: iPhone XS and later
- iPads:
- iPad Pro 13-inch
- iPad Pro 12.9-inch (3rd generation and later)
- iPad Pro 11-inch (1st generation and later)
- iPad Air (3rd generation and later)
- iPad 7th generation and later
- iPad mini (5th generation and later)
- iPad Pro 12.9-inch (2nd generation), iPad Pro 10.5-inch, and iPad 6th generation
Apple has addressed the issue with improved state management in iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5.
Although the CVE-2025-24200 vulnerability has only been exploited in targeted attacks, Apple strongly advises all users to install the latest security updates to prevent potential threats.
Citizen Lab has previously reported multiple zero-day vulnerabilities used in spyware attacks, including:
- The BLASTPASS exploit chain (September 2023), which infected fully patched iPhones with NSO Group’s Pegasus spyware.
- CVE-2025-24085, the first zero-day attack of 2025, patched just last month.
Apple has been consistently patching actively exploited zero-days, with a notable increase in threats over the past two years:
- 2025 (so far): 2 zero-days patched
- 2024: 6 zero-days patched
- 2023: 20 zero-days patched
Some of the most severe exploits in 2023 included:
- BLASTPASS zero-click attack (CVE-2023-41061, CVE-2023-41064) in September
- Multiple WebKit zero-days allowing remote code execution
Apple has not disclosed who was targeted by this latest exploit, but given its history, it’s likely that the attack was part of a state-sponsored spyware operation. The company continues to tighten security measures, but the increasing number of sophisticated attacks suggests that iPhone users—especially high-risk individuals—should stay vigilant and update their devices immediately.