CVE-2025-24200 is an authorization vulnerability in Apple iOS and iPadOS that allows a physical attacker to disable USB Restricted Mode on a locked device. USB Restricted Mode is a security feature designed to prevent data access via USB connections when the device is locked, protecting against unauthorized data extraction through USB-based forensic tools or malicious peripherals. The root cause is an improper state management flaw that fails to enforce USB Restricted Mode restrictions under certain physical attack scenarios. Apple addressed this issue by improving state management in iOS and iPadOS updates 15.8.4, 16.7.11, 17.7.5, and 18.3.1. The vulnerability has been reportedly exploited in extremely sophisticated targeted attacks, indicating its use in high-value espionage or surveillance operations. Exploitation requires physical access to the locked device but does not require user interaction or prior authentication, making it a significant risk for individuals with high-profile or sensitive roles. The CVSS 3.1 vector (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects that the attack vector is physical, with low attack complexity, no privileges or user interaction needed, and high impact on confidentiality and integrity. While availability is unaffected, the breach of confidentiality and integrity can lead to severe data exposure and manipulation risks. This vulnerability is classified under CWE-863 (Incorrect Authorization). No known public exploits have been confirmed, but the reported sophisticated use underscores the threat's seriousness.

The primary impact of CVE-2025-24200 is the compromise of confidentiality and integrity of data on affected Apple devices. By disabling USB Restricted Mode, an attacker with physical access can connect USB devices to extract sensitive information or inject malicious payloads without unlocking the device. This can lead to data breaches involving personal, corporate, or government secrets, especially affecting high-value targets such as executives, journalists, activists, or government officials. The vulnerability does not affect device availability but undermines trust in device security controls. Organizations relying on Apple mobile devices for secure communications and data storage face increased risk of espionage, data leakage, and targeted attacks. The exploitation complexity is moderate due to the need for physical access and specialized attack methods, limiting widespread exploitation but posing a critical threat to targeted individuals. The vulnerability may also encourage adversaries to develop advanced forensic or surveillance tools to bypass device protections.

To mitigate CVE-2025-24200, organizations and users should immediately apply the security updates provided by Apple in iOS and iPadOS versions 15.8.4, 16.7.11, 17.7.5, and 18.3.1 or later. Beyond patching, physical security controls must be strengthened to prevent unauthorized access to devices, including secure storage, controlled access environments, and tamper-evident measures. Device management policies should enforce encryption and strong passcodes to reduce the risk of unlocking devices if physical access is gained. Consider disabling USB data connections entirely when devices are locked, if supported by device management solutions. For high-risk users, additional protections such as hardware security modules or secure elements may be warranted. Monitoring for unusual device behavior or unauthorized access attempts can help detect exploitation attempts. Educating users about the risks of physical device compromise and enforcing strict device handling protocols are also critical. Finally, organizations should review and update incident response plans to address potential data breaches stemming from physical attacks on mobile devices.