Apple has released an emergency security update patching a zero-day vulnerability (CVE-2025-24200) that allowed attackers to bypass USB Restricted Mode on locked iOS devices. The flaw was actively exploited in targeted attacks before the patch was available, making immediate installation critical for all affected users. The official security advisory is available through Apple’s security updates page.
What Is USB Restricted Mode
USB Restricted Mode was introduced in iOS 11.4.1 as a countermeasure against physical device exploitation. When a device has been locked for more than an hour, the feature disables data transfer through the Lightning or USB-C port. The port continues to support charging, but no data communication is permitted until the owner authenticates. This was designed specifically to block tools like Cellebrite and GrayKey — used by law enforcement and sometimes threat actors — from extracting data from a locked device.
Technical Analysis of CVE-2025-24200
The vulnerability, discovered by Bill Marczak of Citizen Lab, is classified as an authorization bypass. An attacker with physical access to a locked device could exploit the flaw to disable USB Restricted Mode without authenticating as the device owner. Apple has not published full technical details to prevent active exploitation of unpatched devices. The patches were shipped in iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5.
High-Risk Groups: Journalists, Activists, Executives, Legal Professionals
The vulnerability affects:
- All iPhone users running iOS versions prior to 18.3.1
- iPad users on iPadOS below 18.3.1 or iPadOS 17.7.5 (for older hardware on the 17.x branch)
- Individuals at elevated risk of targeted physical device seizure — journalists, activists, legal professionals, and corporate executives operating in high-risk environments
Citizen Lab’s prior research has consistently shown that vulnerabilities of this type are used in nation-state or law-enforcement-adjacent attacks. The BLASTPASS exploit chain (CVE-2023-41061 and CVE-2023-41064) previously disclosed by Citizen Lab was used to deploy Pegasus spyware without any user interaction.
Impact on Device Security and Forensic Tools
The bypass is particularly significant in the context of commercial forensic extraction tools. GrayKey (Magnet Forensics) and Cellebrite’s UFED platform rely on USB communication with locked devices to extract data or perform brute-force PIN attacks. USB Restricted Mode was a primary technical control preventing these tools from functioning on devices that had been locked for over an hour. Bypassing it essentially re-enables the attack surface these tools exploit.
Apple had already reinforced device security in late 2024 by introducing an automatic reboot of the device after extended periods of inactivity — forcing it into a “Before First Unlock” (BFU) state where encryption keys are not loaded into memory, making forensic extraction significantly harder even with USB access.
What to Do Immediately
- Update to iOS 18.3.1 or iPadOS 18.3.1 now — go to Settings > General > Software Update
- If you use an older iPad that runs iPadOS 17, update to iPadOS 17.7.5
- Enable automatic updates at Settings > General > Software Update > Automatic Updates
- Use a strong, six-digit or alphanumeric passcode — a four-digit PIN offers far less protection against brute-force tools
- Power off the device entirely if you anticipate imminent physical seizure — this forces BFU state regardless of USB mode settings
