Apple has recently issued a critical security advisory concerning three zero-day vulnerabilities—CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085—that have been actively exploited in sophisticated attacks. These vulnerabilities affect a broad spectrum of Apple devices, including iPhones, iPads, Macs, and other platforms. Users are strongly advised to update their devices immediately to mitigate potential security risks.
Detailed Examination of the Vulnerabilities
CVE-2025-24200: Authorization Flaw in USB Restricted Mode
The first vulnerability, identified as CVE-2025-24200, is an authorization flaw that can be exploited in a physical attack to disable USB Restricted Mode on a locked device. USB Restricted Mode, introduced in iOS 11.4.1, is a security feature designed to prevent iOS and iPadOS devices from communicating with connected accessories if the device hasn’t been unlocked within the past hour. This measure is crucial for thwarting forensic tools and unauthorized data access.
According to Apple’s advisory, this vulnerability may have been exploited in an extremely sophisticated attack against specific targeted individuals. The flaw was discovered and reported by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School. In practical terms, a malicious actor with physical access to the device could disable USB Restricted Mode, potentially leading to unauthorized data extraction or device manipulation.
CVE-2025-24201: WebKit Sandbox Escape
The second vulnerability, CVE-2025-24201, affects WebKit, the browser engine that powers Safari and many iOS applications. This out-of-bounds write issue could allow maliciously crafted web content to break out of the Web Content sandbox, a security mechanism designed to isolate web content from the rest of the system.
Apple describes this as a supplementary fix for an attack that was blocked in iOS 17.2 and acknowledges that it may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2. Exploiting this vulnerability could enable attackers to execute arbitrary code on the device, potentially leading to data theft, surveillance, or further system compromise.
CVE-2025-24085: Privilege Escalation in CoreMedia
The third zero-day, CVE-2025-24085, is a use-after-free vulnerability in the CoreMedia component—a framework that manages audio and video playback across Apple products. This type of vulnerability occurs when a program continues to use a pointer after it has been freed, leading to unpredictable behavior and potential security risks.
As detailed in Apple’s advisory, A malicious application may be able to elevate privileges. This vulnerability affects multiple Apple operating systems, including iOS, iPadOS, macOS, watchOS, and tvOS. The flaw has been actively exploited against older versions of iOS before iOS 17.2. Successful exploitation could allow an attacker to gain elevated privileges on the device, potentially leading to full system compromise.
Summary of the Vulnerabilities
| CVE ID | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|—————-|—————————————————————————————————–|——————————————————————————————|———————————|—————-|
| CVE-2025-24200 | iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch) | Bypass USB Restricted Mode on locked devices | Physical access to the device | 6.1 (Medium) |
| CVE-2025-24201 | iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, Safari 18.3 | Escape Web Content sandbox via malicious web content | None | 8.1 (High) |
| CVE-2025-24085 | iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, visionOS 2.3 | Privilege escalation through use-after-free vulnerability in CoreMedia | Malicious application installed | 7.8 (High) |
Mitigation Steps
Apple has released patches for all three vulnerabilities across its operating systems and devices:
– iPhones and iPads: Update to iOS 18.3/iPadOS 18.3 or later.
– Macs: Install macOS Sequoia 15.3 or later.
– Apple Watches: Use watchOS 11.3 or newer.
– Apple TVs: Update to tvOS 18.3.
– Apple Vision Pro: Apply visionOS 2.3 updates.
To update your device:
1. Navigate to Settings > General > Software Update.
2. Enable automatic updates for future patches.
Recommendations
To further protect against exploitation:
– Avoid installing untrusted applications or kernel extensions. Only download software from reputable sources, such as the official App Store.
– Exercise caution when interacting with web content. Be wary of unsolicited emails or messages containing links, and avoid visiting untrusted websites.
– Regularly back up your data. Ensure that your important data is backed up to a secure location to prevent loss in case of a security incident.
Conclusion
The discovery and active exploitation of these zero-day vulnerabilities underscore the importance of maintaining up-to-date software on all devices. By promptly applying the latest updates and adhering to recommended security practices, users can significantly reduce the risk of falling victim to sophisticated cyberattacks. Staying vigilant and proactive is essential in safeguarding personal and organizational data against emerging threats.
