Security readout for executives and security teams
Plain-English summary
CVE-2025-24200 is an Apple iOS/iPadOS authorization flaw that could let a physical attacker disable USB Restricted Mode on a locked device. Apple fixed it in listed releases and says it may have been exploited in extremely sophisticated attacks against specific targeted individuals. Business urgency is highest for users at risk of device seizure, theft, or targeted surveillance.
Executive priority
Prioritize remediation above routine medium-severity issues because CISA lists it as known exploited and Apple reports targeted exploitation. The required physical access narrows exposure, but compromise could affect sensitive device data for high-value personnel.
Technical view
The vulnerability is a CWE-863 authorization issue addressed by Apple through improved state management. The CVSS vector indicates physical access, low complexity, no privileges, no user interaction, and high confidentiality and integrity impact. Fixed releases include iOS/iPadOS 15.8.4, 16.7.11, 18.3.1, and iPadOS 17.7.5.
Likely exposure
Exposure is likely limited to Apple iPhones and iPads running versions before the fixed releases. The practical risk depends on physical access to a locked device, so executives, journalists, dissidents, legal teams, travelers, and high-value personnel face higher concern than general users.
Exploitation context
Active exploitation is supported by Apple’s statement and CISA KEV listing. The available public sources describe extremely sophisticated attacks against specific targeted individuals, not broad commodity exploitation. No public source in the bundle provides exploit steps, tooling, or broad exploitation telemetry.
Researcher notes
The source bundle supports authorization weakness, physical attack precondition, USB Restricted Mode impact, Apple fixed versions, and targeted exploitation. It does not provide affected build ranges beyond fixed release guidance, technical root cause details, indicators of compromise, or public exploit availability.
Mitigation direction
- Update eligible devices to the listed fixed Apple releases or later.
- Prioritize updates for executives and high-risk mobile users.
- Use MDM inventory to identify iOS and iPadOS versions below fixed levels.
- Review Apple security guidance for device-specific update availability.
- Treat lost, seized, or unattended high-risk devices as potentially exposed.
Validation and detection
- Confirm each managed device OS version against Apple’s fixed release list.
- Check MDM compliance reports for iOS and iPadOS update status.
- Confirm CVE-2025-24200 remains listed in CISA KEV for prioritization.
- Review incident records for physical loss or seizure of high-risk devices.
- Avoid validation methods that attempt to bypass locked-device protections.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-863: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2025-24200 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.1 (3.1)
- Known Exploited
- Yes
- Published
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CISA KEV status
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N0.95.2Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.1MediumVector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://support.apple.com/en-us/122173CVE reference
- https://support.apple.com/en-us/122174CVE reference
- https://support.apple.com/en-us/122345CVE reference
- https://support.apple.com/en-us/122346CVE reference
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24200CVE reference · government-resource
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Incorrect Authorization
Incorrect Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
