On Monday, Apple issued critical security updates that retroactively address three actively exploited zero-day vulnerabilities affecting legacy versions of its operating systems.
CVE-2025-24200
The first vulnerability, designated CVE-2025-24200, was patched in iOS 16.7.11, iPadOS 16.7.11, iOS 15.8.4, and iPadOS 15.8.4.
CVE-2025-24200 allows a physical attacker to disable USB Restricted Mode on an Apple device. This is a security feature designed to block unauthorised data access through the USB port when the iPhone or iPad is locked for over an hour.
Apple said CVE-2025-24200 “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” hinting at potential involvement from state-sponsored actors aiming to surveil high-value targets such as government officials, journalists, or senior business executives. Although initially patched on February 10 in iOS 18.3.1, iPadOS 18.3.1, and iPad 17.7.5, the vulnerability remained unresolved in older operating systems until now.
SEE: Critical Zero-Day Vulnerabilities Found in These VMware Products
CVE-2025-24201
The second flaw, CVE-2025-24201, was also patched in iOS 16.7.11, iPadOS 16.7.11, iOS 15.8.4, and iPadOS 15.8.4.
This flaw is in WebKit, the browser engine used by Safari to render web pages. It allows malicious code running inside the Web Content sandbox — an isolated environment intended to contain browser-based threats — to escape and compromise broader system components.
CVE-2025-24201 was first mitigated in iOS 17.2 in late 2023, followed by a supplemental patch in iOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. The flaw has now been retrospectively addressed in iOS and iPadOS 15 and 16.
CVE-2025-24085
CVE-2025-24085, the third vulnerability, was patched in iPadOS 17.7.6, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
The use-after-free vulnerability is in Apple’s Core Media, the framework responsible for handling media processing tasks such as audio and video playback in apps. It allows attackers to seize control of deallocated memory and repurpose it to execute privileged malicious code..
Originally patched in January, with iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3, Apple has now backported the fix to older systems.
Other vulnerabilities were patched in iOS 18.4
Alongside new Apple Intelligence features and emojis, iOS 18.4 — released on Tuesday — delivers fixes for new vulnerabilities, including:
- CVE-2025-30456: A flaw in the DiskArbitration framework that allowed apps to escalate their privileges to root.
- CVE-2025-24097: A flaw in AirDrop that allowed unauthorised apps to access file metadata, such as creation dates or user details.
- CVE-2025-31182: A flaw in the libxpc framework that lets apps delete arbitrary files on the device.
- CVE-2025-30429, CVE-2025-24178, CVE-2025-24173: Flaws that allowed apps to break out of sandbox in Calendar, libxpc, and Power Services, respectively.
- CVE-2025-30467: A flaw in Safari that could allow malicious websites to spoof the address bar.
Apple users are strongly urged to update their devices immediately to guard against exploitation of these now-publicised vulnerabilities. While most users will receive automatic update prompts, manual updates can be performed via Settings, General, and then Software Update.
