CVE-2024-44136
Published: 15 January 2025
Summary
CVE-2024-44136 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Apple Ipados. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-11 (Device Lock) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-44136 is a vulnerability affecting the Stolen Device Protection feature in iOS and iPadOS versions prior to 17.5. The issue arises from improper state management, enabling an attacker with physical access to a device to disable this security mechanism. It has been addressed in iOS 17.5 and iPadOS 17.5 through improvements in state handling, with a CVSS v3.1 base score of 4.6 (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and associated CWEs including NVD-CWE-noinfo and CWE-863.
An attacker requires physical access to the target device to exploit this vulnerability, which has low attack complexity and demands no privileges, user interaction, or elevated scope. Exploitation allows the attacker to disable Stolen Device Protection, achieving high integrity impact by bypassing safeguards designed to protect data and functionality on stolen devices.
Apple's security advisory at https://support.apple.com/en-us/120905 confirms the issue was resolved via enhanced state management in iOS 17.5 and iPadOS 17.5, recommending that users update affected devices to mitigate the vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41158
Vulnerability details
This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to a device may be able to disable Stolen Device Protection.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly allows disabling Stolen Device Protection security feature via physical access and state management flaw, mapping to impairing defenses.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly addresses the improper state management vulnerability by applying patches to iOS 17.5 and iPadOS 17.5, preventing attackers from disabling Stolen Device Protection.
Device lock after inactivity prevents unauthorized physical access to the device, blocking exploitation attempts to disable Stolen Device Protection.
Access control for mobile devices enforces usage restrictions and connection requirements, mitigating physical access risks to stolen iOS/iPadOS devices.