Apple has released an urgent security update for iOS 18.3.1 and iPadOS 18.3.1 to address a critical vulnerability that could allow attackers to bypass USB security protections on locked devices.
The security flaw tracked as CVE-2025-24200, was discovered by security researcher Bill Marczak of The Citizen Lab at The University of Toronto's Munk School.
The vulnerability affects the USB Restricted Mode feature, a security measure introduced in iOS 11.4.1 that prevents unauthorized accessories from communicating with an Apple device if it hasn't been unlocked and connected to an accessory within the past hour.
According to Apple's advisory, the flaw stems from an authorization issue that could be exploited through a physical attack to disable USB Restricted Mode on a locked device.
Apple acknowledged that this vulnerability has already been exploited in "an extremely sophisticated attack against specific targeted individuals." The company has addressed the security issue by implementing improved state management in the latest update.
The security patch is available for a wide range of devices, including iPhone XS and later models, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Additionally, Apple has released iPadOS 17.7.5 for older devices, including iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation.
This update comes shortly after Apple patched another actively exploited vulnerability (CVE-2025-24085) in the Core Media component affecting iOS versions before 17.2.
The USB Restricted Mode feature was originally designed to prevent unauthorized access to devices by digital forensics tools, which are commonly used by law enforcement agencies to extract data from confiscated devices.
Given the active exploitation of this vulnerability, users are strongly encouraged to update their devices immediately to protect against potential security threats.