CVE-2025-24200 is a medium-severity vulnerability affecting Apple iPadOS and iOS devices, specifically related to an authorization flaw that allows a physical attacker to disable USB Restricted Mode on a locked device. USB Restricted Mode is a security feature designed to prevent data extraction via USB connections when the device is locked, thereby protecting against unauthorized access through physical interfaces. The vulnerability arises from improper state management in the authorization process, which an attacker with physical access can exploit to bypass this restriction. Apple addressed this issue in iPadOS 17.7.5 and iOS 18.3.1 by improving state management to ensure USB Restricted Mode cannot be disabled without proper authorization. Although no broad exploit campaigns have been confirmed, Apple acknowledges reports of this vulnerability being leveraged in highly sophisticated attacks targeting specific individuals, indicating a potential use in espionage or high-value targeted intrusions. The CVSS vector (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates that exploitation requires physical access (Attack Vector: Physical), has low attack complexity, requires no privileges or user interaction, and impacts confidentiality and integrity significantly, but not availability. The vulnerability is categorized under CWE-863 (Incorrect Authorization), highlighting the failure to enforce proper access controls. This flaw primarily threatens the confidentiality and integrity of data on affected devices by enabling attackers to circumvent USB data protection mechanisms on locked devices.

The vulnerability allows attackers with physical access to bypass USB Restricted Mode on locked Apple devices, potentially enabling unauthorized data extraction or device manipulation via USB interfaces. This compromises the confidentiality and integrity of sensitive information stored on the device, including personal data, corporate secrets, or classified information. Organizations relying on Apple devices for secure communication or data storage face increased risk of targeted espionage or data theft, especially in environments where physical device security cannot be guaranteed. The attack does not affect availability but can lead to significant breaches of privacy and data security. Given the sophistication reported in targeted attacks, high-profile individuals and organizations are at elevated risk. The medium CVSS score reflects the balance between the requirement for physical access and the high impact on data confidentiality and integrity. Failure to mitigate this vulnerability could undermine trust in device security and lead to costly data breaches or espionage incidents.

Organizations and users should immediately apply the security updates provided by Apple, specifically iPadOS 17.7.5 and iOS 18.3.1 or later, to remediate this vulnerability. Beyond patching, enforcing strict physical security controls is critical to prevent unauthorized physical access to devices, including secure storage, access controls, and surveillance in sensitive environments. Device management policies should include disabling USB data access where possible or using Mobile Device Management (MDM) solutions to enforce USB restrictions. Regular audits of device security posture and user training on the risks of physical device compromise can further reduce exposure. For high-risk environments, consider additional hardware protections such as tamper-evident seals or secure enclosures. Monitoring for unusual USB activity and employing endpoint detection solutions capable of identifying unauthorized data extraction attempts can provide early warning of exploitation attempts. Finally, organizations should review and update incident response plans to address potential physical attack scenarios involving mobile devices.