Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Authorization bypass disabling USB Restricted Mode on locked Apple devices

IdentifiersCVE-2025-24200CWE-863· Incorrect Authorization

CVE-2025-24200 is an authorization issue in Apple iOS and iPadOS, described by Apple as being fixed through improved state management. The flaw affects the Accessibility component and allows a physical attacker to disable USB Restricted Mode on a locked device. USB Restricted Mode is intended to limit USB-based access when a device has been locked for a period of time; bypassing it weakens a key forensic and intrusion-resistance control on locked iPhones and iPads. Apple reported that the issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker with physical possession of a locked vulnerable device to disable USB Restricted Mode, reducing protections against USB-based access while the device remains locked. This can materially increase the risk of device compromise, forensic extraction, or follow-on attacks using connected accessories or specialized hardware. Apple stated it is aware of reports that the vulnerability was exploited in highly targeted real-world attacks.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce opportunities for physical access to locked devices, maintain strict device custody, and treat loss or temporary seizure of an unpatched device as a potential compromise event. Because exploitation requires physical access, operational mitigations center on physical security and minimizing attacker access windows. However, patching is the primary effective mitigation based on the available information.

Remediation

Patch, then assume compromise.

Apply Apple's fixed releases: iOS 15.8.4 and iPadOS 15.8.4; iOS 16.7.11 and iPadOS 16.7.11; iOS 18.3.1 and iPadOS 18.3.1; and iPadOS 17.7.5, as applicable to the device model. Apple indicates the issue was remediated through improved state management.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AppleIpadosoperating_system
AppleIphone Osoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Authorization issue in iOS/iPadOS that can allow disabling USB Restricted Mode on a locked device; reported exploited in the wild.

Read more
the hacker newsNews
Dec 13, 2025
Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild

An Apple zero-day vulnerability referenced as exploited in the wild in 2025 (no additional technical details provided in the content).

Read more
help net securityNews
Jun 13, 2025
iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200)

A vulnerability in iOS that allows attackers with physical access to a locked device to disable USB Restricted Mode, potentially facilitating further compromise.

Read more
the hacker newsNews
Jun 13, 2025
Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware

An undisclosed zero-day vulnerability in Apple products, resolved in the same update as CVE-2025-43200. It was actively exploited, but technical details and exploitation context are not provided.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-24200
NVD
nvd.nist.gov/vuln/detail/CVE-2025-24200
MITRE CWE · CWE-863
Incorrect Authorization
Vendor Advisory
support.apple.com/en-us/122173
Vendor Advisory
support.apple.com/en-us/122174
Vendor Advisory
support.apple.com/en-us/122345
Vendor Advisory
support.apple.com/en-us/122346
Third Party Advisory
seclists.org/fulldisclosure/2025/Apr/7
Third Party Advisory
seclists.org/fulldisclosure/2025/Feb/7
Third Party Advisory
seclists.org/fulldisclosure/2025/Feb/8
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24200