CVE-2024-44136

Medium

Published: 15 January 2025

Published

15 January 2025

Modified

22 March 2025

KEV Added

—

Patch

—

CVSS Score 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0030 53.6th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-44136 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Apple Ipados. Its CVSS base score is 4.6 (Medium).

Operationally, ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-11 (Device Lock) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation directly addresses the improper state management vulnerability by applying patches to iOS 17.5 and iPadOS 17.5, preventing attackers from disabling Stolen Device Protection.

AC-11 Device Lock good match

prevent

Device lock after inactivity prevents unauthorized physical access to the device, blocking exploitation attempts to disable Stolen Device Protection.

AC-19 Access Control for Mobile Devices partial match

prevent

Access control for mobile devices enforces usage restrictions and connection requirements, mitigating physical access risks to stolen iOS/iPadOS devices.

NVD Description

This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to a device may be able to disable Stolen Device Protection.

Deeper analysisAI

CVE-2024-44136 is a vulnerability affecting the Stolen Device Protection feature in iOS and iPadOS versions prior to 17.5. The issue arises from improper state management, enabling an attacker with physical access to a device to disable this security mechanism. It has been addressed in iOS 17.5 and iPadOS 17.5 through improvements in state handling, with a CVSS v3.1 base score of 4.6 (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and associated CWEs including NVD-CWE-noinfo and CWE-863.

An attacker requires physical access to the target device to exploit this vulnerability, which has low attack complexity and demands no privileges, user interaction, or elevated scope. Exploitation allows the attacker to disable Stolen Device Protection, achieving high integrity impact by bypassing safeguards designed to protect data and functionality on stolen devices.

Apple's security advisory at https://support.apple.com/en-us/120905 confirms the issue was resolved via enhanced state management in iOS 17.5 and iPadOS 17.5, recommending that users update affected devices to mitigate the vulnerability.

Details

CWE(s): NVD-CWE-noinfo CWE-863

Affected Products

apple

ipados

≤ 17.5

apple

iphone os

≤ 17.5

CVEs Like This One

CVE-2025-24200Same product: Apple Ipados

CVE-2025-24221Same product: Apple Ipados

CVE-2024-54512Same product: Apple Ipados

CVE-2024-44238Same product: Apple Ipados

CVE-2024-44276Same product: Apple Ipados

CVE-2025-31229Same product: Apple Ipados

CVE-2026-28858Same product: Apple Ipados

CVE-2026-28874Same product: Apple Ipados

CVE-2026-28875Same product: Apple Ipados

CVE-2024-54530Same product: Apple Ipados

References

https://support.apple.com/en-us/120905
Vendor Advisory · product-security@apple.com