CVE-2025-24200

An authorization issue was addressed with improved state management. This issue is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1. A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
PHYSICAL
LOW
NONE
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
appleCNA
---
---
CVEADP
---
---
CISA-ADPADP
6.1 MEDIUM
PHYSICAL
LOW
NONE
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
appleipados
𝑥
< 15.8.4
appleipados
16.0 ≤
𝑥
< 17.7.5
appleipados
18.0 ≤
𝑥
< 18.3.1
appleiphone_os
𝑥
< 15.8.4
appleiphone_os
16.0 ≤
𝑥
< 18.3.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://support.apple.com/en-us/122173
https://support.apple.com/en-us/122174
http://seclists.org/fulldisclosure/2025/Apr/7
http://seclists.org/fulldisclosure/2025/Feb/7
http://seclists.org/fulldisclosure/2025/Feb/8
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24200