This report details a critical, unpatched vulnerability in Apple's iOS activation infrastructure, specifically targeting the SIM activation endpoint at https://humb.apple.com/humbug/baa. The vulnerability allows an attacker to send unauthenticated XML provisioning payloads to this endpoint during the initial device setup process. Notably, this affects all iPhones during their initial setup phase, including after a factory reset, without requiring jailbreak, Apple ID credentials, or Mobile Device Management (MDM) enrollment. The endpoint accepts these unauthenticated provisioning payloads and responds with HTTP 200 OK, applying persistent, device-level configuration changes. This means an attacker with network access during the activation phase could inject malicious provisioning profiles or configurations that persist on the device, potentially altering device behavior, enabling backdoors, or compromising device integrity. Because the vulnerability resides in the activation infrastructure, it impacts devices at a fundamental level before normal security controls or user authentication are in place. The lack of authentication and the persistence of the changes make this a highly critical flaw. The vulnerability has not yet been patched, and no known exploits are currently observed in the wild. The technical details are limited, but the core issue is the acceptance of unauthenticated provisioning XML payloads by a critical Apple activation endpoint, which should normally validate and authenticate such requests. This flaw undermines the trust model of iOS device provisioning and activation, potentially allowing attackers to compromise devices during their most vulnerable setup phase.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and government agencies deploying iPhones at scale. Since the flaw affects devices during initial setup or after factory reset, attackers with network access (e.g., via compromised Wi-Fi networks, malicious mobile carriers, or man-in-the-middle attacks on activation traffic) could inject malicious configurations that persist on devices. This could lead to unauthorized device control, data exfiltration, or persistent backdoors that evade traditional endpoint protections. The impact extends to supply chain security, as devices could be compromised before reaching end users. Given the widespread use of iPhones in European corporate and governmental environments, the vulnerability threatens confidentiality, integrity, and availability of sensitive data and communications. The lack of authentication and the persistence of injected configurations increase the risk of targeted espionage or sabotage campaigns. Additionally, the inability to detect or easily remediate such provisioning injections without a patch complicates incident response and increases exposure duration. The vulnerability also undermines user trust in device security and could have regulatory implications under GDPR if personal data is compromised through this vector.

Immediate mitigation options are limited due to the vulnerability residing in Apple's activation infrastructure and the lack of an available patch. However, European organizations can take several practical steps: 1) Restrict and monitor network access during device activation phases, ensuring activation traffic occurs only on trusted, secured networks to prevent man-in-the-middle attacks. 2) Employ Mobile Device Management (MDM) solutions that can detect and remediate unauthorized configuration profiles post-activation, although this does not prevent initial injection. 3) Delay device activation until devices can be activated in controlled environments with network protections such as VPNs or isolated activation networks. 4) Educate IT staff and end users about the risks of activating devices on untrusted networks. 5) Monitor for unusual device behavior or configuration changes indicative of provisioning injection. 6) Engage with Apple support channels to prioritize patch deployment and request guidance. 7) For high-security environments, consider temporarily restricting iPhone deployment until a patch is available. These mitigations focus on reducing exposure during the vulnerable activation window and improving detection and remediation capabilities post-activation.