Apple has released an unscheduled security update for iOS and iPadOS, addressing a vulnerability known as CVE-2025-24200 that has been exploited in real attacks. The vulnerability allows attackers to bypass the limited USB access mode on locked devices, leaving them open to cyber attacks.
To exploit this vulnerability, physical access to the device is required. The limited USB access mode, introduced in iOS 11.4.1, prevents data transfer through USB unless the device has been unlocked and connected to accessories within the past hour. This feature is designed to counter digital forensic tools like CELLEBRITE and GrayKey used by law enforcement agencies.
Apple has not disclosed specific details about the issue but has stated that the vulnerability was patched by enhancing system controls. The company acknowledges that the vulnerability could have been used in sophisticated attacks targeting specific individuals. Security researcher Bill Marchak from The Citizen Lab at the University of Toronto was credited with reporting this vulnerability.
The security update is now available for the following devices and operating systems:
- iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later models, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later models, iPad Pro 11-inch 1st generation and later models, iPad Air 3rd generation and later models, 7th generation iPad and later models, 5th generation iPad mini and later models
- iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, 6th generation iPad
Each new vulnerability serves as a reminder that digital security requires ongoing updates. As some work to strengthen defenses, others seek out vulnerabilities, creating a never-ending cycle of security challenges.