Apple Release Urgent Security Update for IOS to Address Critical Zero - Day
Technical Description
CVE-2025-24200 is classified as an authorization bypass vulnerability affecting Apple’s iOS and iPadOS. It specifically targets USB Restricted Mode, a security feature designed to prevent unauthorized USB data connections when a device is locked for an extended period.
Root Cause Analysis
The vulnerability is due to improper session state validation within lockdownd. When a device is locked, lockdownd is supposed to block all USB-based data access unless the device has been unlocked within the last hour but due to a state desynchronization issue an attacker with physical access can bypass this restriction and establish a trusted connection using a specially crafted USB request.
This is achieved by:
- Manipulating USB enumeration processes: By connecting and disconnecting a malicious accessory at precise intervals. An attacker can force lockdownd into an unexpected state.
- Triggering an unintended authorization response: The attacker exploits a logic flaw where lockdownd temporarily assumes an unlocked state, allowing unauthorized pairing.
- Injecting malicious requests: Once paired, the attacker can send commands to disable USB Restricted Mode permanently.
The vulnerability affects a wide range of iPhones and iPads running vulnerable versions of iOS and iPadOS. Below is a breakdown of the devices affected:
- iPhones (Running vulnerable iOS versions before iOS 18.3.1)
- iPads (Running vulnerable iPadOS versions before iPadOS 18.3.1 or iPadOS 17.7.5)
Fixed Versions
- iOS 18.3.1: Fixes the vulnerability on all iPhones and supported iPads.
- iPadOS 18.3.1: Fixes the vulnerability on iPads running iPadOS 18.
- iPadOS 17.7.5: Fixes the vulnerability for older iPads that are not eligible for iPadOS 18.
Conclusion
The vulnerabilities identified in the DeepSeek iOS app pose significant risks to the security and privacy of users. These findings highlight the immediate need for organizations to prohibit the app’s use to safeguard sensitive data and mitigate potential cyber risks.
Impact
Exploiting CVE-2025-24200 can allow unauthorized access to sensitive data on locked iOS and iPadOS devices, compromising the confidentiality and integrity of personal information, messages, photos, and other confidential data. This vulnerability weakens security protections intended to prevent unauthorized data extraction, posing a significant risk to the security of affected devices, particularly in targeted attacks.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | TA0006: Credential Access |
| Technique Name | T1557: Man-in-the-Middle (USB-based Attack) |
| Sub Technique Name | T1557.003: Hardware Additions (Malicious USB Accessories) |
| Attack Type | Physical Access Exploit & Authorization Bypass |
| Targeted Applications | Apple IOS |
| Region Impacted | Global |
| Industry Impacted | Government, Financial, Healthcare, Technology and telecom. |
| IOC’s | NA |
| CVE | CVE-2025-24200 |
Recommended Actions
- Install Updates: Upgrade to iOS 18.3.1, iPadOS 18.3.1 and iPadOS 17.7.5 without delay.
- Review Device Security Settings: Confirm that USB Restricted Mode is enabled and is working properly.
- Monitor for Suspicious Activity: Regularly monitor your devices for any signs of unauthorized access or unusual behavior.