A recently discovered critical vulnerability in Apple’s iOS operating system, identified as CVE-2025-24091, enables malicious applications to render iPhones inoperable using just a single line of code. This flaw exploits the Darwin notifications system, a fundamental component of iOS, to initiate an endless reboot cycle, effectively bricking the device and necessitating a complete system restore.
Understanding the Darwin Notification Vulnerability
Darwin notifications serve as a low-level messaging mechanism within the CoreOS layer of iOS, facilitating system-wide event communication between processes. Unlike higher-level notification systems such as NSNotificationCenter or NSDistributedNotificationCenter, Darwin notifications operate at a more fundamental level across Apple’s operating systems.
Security researcher Guilherme Rambo, who uncovered this vulnerability, explained, Darwin notifications are even simpler, as they’re a part of the CoreOS layer. They provide a low-level mechanism for simple message exchange between processes on Apple’s operating systems.
The critical flaw arises from the fact that any application on iOS could send sensitive system-level Darwin notifications without requiring special privileges or entitlements. This oversight allows malicious apps to trigger powerful system functions, including placing the device into a restore in progress mode.
The One-Line Exploit
The exploit is alarmingly straightforward. A single line of code can force the device into a Restore in Progress state:
“`objc
notify_post(com.apple.mobile.restored);
“`
When executed, this code compels the device to enter a restoration state. Since no actual restore is occurring, the process inevitably fails, prompting the user to restart the device. Rambo developed a proof-of-concept attack named VeryEvilNotify that implemented this exploit within a widget extension.
Widget extensions are periodically woken up in the background by iOS, noted Rambo. Because of how widespread the use of widgets is on the system, when a new app that includes a widget extension is installed and launched, the system is very eager to execute its widget extension.
By embedding the exploit in a widget that repeatedly crashes after sending the notification, Rambo created a persistent attack that would trigger after each restart, creating an endless loop that rendered the device unusable.
Risk Factors and Impact
– Affected Products: iOS devices, including iPhones and iPads running versions prior to iOS/iPadOS 18.3.
– Impact: Denial of Service (DoS), rendering devices inoperable.
– Exploit Prerequisites: Any sandboxed app or widget extension can trigger the exploit; no special privileges are required.
– CVSS 3.1 Score: High.
Mitigation Measures
Apple addressed this vulnerability in iOS 18.3 by implementing a new entitlement system for sensitive Darwin notifications. Rambo was awarded a bug bounty of $17,500 for his discovery.
Specifically, system notifications now require the prefix com.apple.private.restrict-post. Additionally, sending processes must possess restricted entitlements in the form of com.apple.private.darwin-notification.restrict-post.
This is not the first time Darwin-related vulnerabilities have been identified in Apple’s systems. Previously, Kaspersky Lab discovered a Darwin Nuke vulnerability that allowed remote attackers to initiate denial of service attacks through specifically crafted network packets.
Recommendations for Users
All iPhone users are strongly advised to update to iOS 18.3 or later immediately. Devices running earlier versions remain vulnerable to this attack, which could be deployed through seemingly innocent applications or widgets available through the App Store or other sources.
