What is iOS USB Restricted Mode?
Apple iOS and iPadOS power iPhone and iPad devices used by government officials, executives, journalists, activists, and security-sensitive organizations worldwide. USB Restricted Mode is a security feature introduced in iOS 11.4.1 that blocks USB accessories from establishing a data connection with a device that has not been unlocked within the past hour. The feature was designed specifically to resist forensic extraction tools — such as GrayKey (Grayshift) and Cellebrite UFED — which can extract device data and bypass the passcode via the Lightning or USB-C port when physical access is available.
Overview
CVE-2025-24200 is an authorization flaw in iOS and iPadOS that allows a person with physical access to a locked device to disable USB Restricted Mode. With USB Restricted Mode deactivated, forensic extraction tools can communicate with the device, potentially enabling data extraction or passcode brute-force attacks. Apple stated in its advisory that the vulnerability was exploited in "extremely sophisticated attacks against specific targeted individuals" — the company's standard language for nation-state or state-adjacent threat actors, typically mercenary spyware operators. The vulnerability was discovered by Bill Marczak of Citizen Lab, a research group at the University of Toronto known for uncovering NSO Group's Pegasus spyware and similar surveillance operations.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS | < 18.3.1 | 18.3.1 |
| iPadOS | < 18.3.1 | 18.3.1 |
| iPadOS (older iPad models) | < 17.7.6 | 17.7.6 |
Technical Details
CWE-863 (Incorrect Authorization) captures the root cause: the iOS access control logic governing USB Restricted Mode contained a flaw exploitable with physical device access. Apple did not publicly disclose the precise technical mechanism, consistent with its policy of withholding vulnerability details while patches propagate. Key characteristics:
- Physical access required — the attacker must have the locked device in hand; no remote exploitation vector exists.
- No unlock required — the bypass works on a locked device; the attacker does not need the passcode.
- Specialized tooling implied — the "extremely sophisticated" exploitation language suggests the technique required purpose-built hardware or software beyond commodity forensic kits.
With USB Restricted Mode disabled, forensic tools can interface with the device over USB, enabling potential data extraction or passcode attacks depending on the device's encryption state and iOS version.
Discovery
Discovered by Bill Marczak of the Citizen Lab, University of Toronto. Marczak is a senior researcher whose work has been central to uncovering NSO Group's Pegasus spyware, Candiru's surveillance tools, and other nation-state mobile exploitation campaigns targeting at-risk individuals.
Exploitation Context
Apple's advisory language — "extremely sophisticated attacks against specific targeted individuals" — indicates targeted surveillance by nation-state actors or commercial spyware vendors. The physical access requirement limits the threat model to specific scenarios: device confiscation at border crossings, detention by authorities, theft by operatives with access to a target's device, or hotel room intrusions.
High-risk targets include government officials, journalists, human rights workers, political dissidents, and executives in sensitive industries. The ability to disable USB Restricted Mode and then attach forensic extraction tooling enables attackers to work around full-disk encryption recovery and, in some configurations, brute-force the passcode or exploit firmware-level vulnerabilities.
Remediation
- Apply iOS 18.3.1 / iPadOS 18.3.1 (or 17.7.6 for older iPad models that do not support iOS 18).
- For individuals at elevated risk: enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode), which significantly restricts the attack surface for sophisticated exploitation.
- Use a strong alphanumeric passcode (not a 6-digit PIN) to maximize resistance to brute-force attacks if USB access is obtained.
- Enable Erase Data (Settings → Face ID & Passcode → Erase Data) to wipe the device after 10 failed passcode attempts — appropriate for highest-risk scenarios where device loss or confiscation is a concern.
- Treat any period of physical access by untrusted parties as a potential compromise event; consider device attestation or remote wipe if the device was out of your control.
- Enterprise environments should enforce these settings via MDM policy and configure remote wipe capabilities for issued devices.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-24200 |
| Vendor / Product | Apple — iOS and iPadOS |
| NVD Published | 2025-02-10 |
| NVD Last Modified | 2026-04-03 |
| CVSS 3.1 Score | 6.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Severity | MEDIUM |
| CWE | CWE-863 find similar ↗ |
| CISA KEV Added | 2025-02-12 |
| CISA KEV Deadline | 2025-03-05 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-02-05 | Apple releases iOS 18.3.1 / iPadOS 18.3.1 with patch |
| 2025-02-10 | CVE published |
| 2025-02-12 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-03-05 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS and iPadOS Security Content | Vendor Advisory |
| NVD — CVE-2025-24200 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |