CVE-2025-24200
Published: 10 February 2025
Summary
CVE-2025-24200 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Apple Ipados. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration over USB (T1052.001); ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-19 (Access Control for Mobile Devices) and PE-3 (Physical Access Control).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the authorization flaw by requiring timely patching of the state management issue fixed in specified iOS/iPadOS updates.
Prevents the physical access required to exploit the vulnerability and disable USB Restricted Mode on a locked device.
Enforces usage restrictions and access controls specifically for mobile devices to limit unauthorized USB access and functions on locked iOS/iPadOS devices.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows physical attackers to disable USB Restricted Mode on a locked device, directly facilitating exfiltration of data over USB physical medium (T1052.001).
NVD Description
An authorization issue was addressed with improved state management. This issue is fixed in iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, iPadOS 17.7.5. A physical attack may disable USB Restricted Mode on…
more
a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
Deeper analysisAI
CVE-2025-24200 is an authorization vulnerability (CWE-863: Incorrect Authorization) stemming from improper state management, affecting multiple versions of iOS and iPadOS. Specifically, it impacts iOS and iPadOS prior to iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, and iPadOS 17.7.5. The flaw enables a physical attack to disable USB Restricted Mode on a locked device, with a CVSS v3.1 base score of 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An attacker with physical access to the device can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation disables USB Restricted Mode while the device remains locked, potentially granting high-impact access to confidential data and enabling integrity modifications without affecting availability.
Apple's security advisories detail mitigations through updated firmware releases that address the state management issue, including iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5. Practitioners should prioritize patching affected devices, as referenced in Apple support documents such as https://support.apple.com/en-us/122173 and related updates.
Apple has noted awareness of a report indicating this issue may have been exploited in an extremely sophisticated attack targeting specific individuals.
Details
- CWE(s)
- KEV Date Added
- 12 February 2025