Apple issues emergency patches to contain an ‘extremely sophisticated attack’ on targeted individuals

Apple has rolled out emergency security patches after discovering that an “extremely sophisticated attack” exploited a flaw in its USB Restricted Mode, potentially targeting specific individuals.

The company released updates for iOS and iPadOS to fix the vulnerability, which could allow attackers with physical access to disable security protections on locked devices.

“A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” Apple’s advisory stated.

The flaw impacts multiple Apple devices, including iOS 18.3.1 and iPadOS 18.3.1: iPhone XS and later, iPad Pro (various models), iPad Air (3rd gen and later), iPad 7th gen and later, and iPad Mini (5th gen and later), iPadOS 17.7.5: iPad Pro 12.9-inch (2nd gen), iPad Pro 10.5-inch, and iPad 6th gen.

Apple warns of physical attack bypassing USB-restricted mode

The flaw, tracked as CVE-2025-24200, allowed attackers to bypass USB Restricted Mode, a security feature designed to prevent unauthorized access via the Lightning or USB ports on locked iPhones and iPads.

USB Restricted Mode was introduced in 2018 as a defense mechanism against forensic tools like Cellebrite and GrayKey, which have been used by law enforcement to access encrypted devices.

The unusually strong language by Apple suggests a serious security concern, as Apple typically refers to vulnerabilities as “actively exploited” rather than specifying the sophistication or targeting of attacks.

“While the vulnerability requires physical access, sophisticated attackers could combine it with other remote exploits,” said Sunil Varkey, an advisor at Beagle Security. “Public charging stations at airports, malls, or hotels can be modified or compromised to exploit connected devices. Attackers may also plant free chargers, cables, or adapters in public areas or distribute them as promotional gifts. A malicious accessory could force-enable USB data transfer and leverage the vulnerability when plugged in.”

Varkey also noted that repair shops, law enforcement agencies, or adversaries with brief physical access to a locked device could use this flaw to extract sensitive data — without needing the user’s password.

This raises significant concerns about potential misuse, especially in espionage or surveillance operations.

Security researcher uncovers the exploit

The vulnerability was discovered by Bill Marczak, a senior researcher at Citizen Lab, a digital rights research group at the University of Toronto’s Munk School.

Marczak took to social media to urge users to update their devices immediately, stating: “Update your iPhones… again! iOS 18.3.1 out today with a fix for an ITW [in-the-wild] USB restricted mode bypass.”

Apple credited Marczak for reporting the issue but did not disclose details on how the exploit was used or who the targeted individuals were.

The fix was implemented through improved state management, according to Apple’s advisory.

A persistent battle against device intrusions

Apple has long promoted the security and privacy of its devices, but vulnerabilities continue to surface, often exploited by government agencies and surveillance firms. Forensic technology providers like Cellebrite have built tools specifically to break into iPhones, allowing law enforcement to extract data from locked devices.

Cellebrite’s technology has been used in high-profile cases, including the attempted assassination of former US President Donald Trump, where the company reportedly unlocked the shooter’s Android device in just 40 minutes.

Experts emphasized the significance of Apple’s rare emergency update, noting that it suggests high-value individuals or organizations — potentially in government or critical infrastructure — were the targets.

“If it was a generic broad-based attack, Apple would not have mentioned the targeted nature of this,” said Yugal Joshi, Partner at Everest Group. “Though this does not reflect on Apple’s otherwise strong security practices, it does shake customer confidence, given they think of Apple as one of the last bastions of secure devices.”

Joshi also pointed out that many enterprises allow Apple devices while restricting Android phones due to security concerns. However, the emergence of such vulnerabilities raises critical questions. “It will be interesting to know what was accessed through this mode and how grave the situation is. Though the attack may be targeted, its impact on high-value individuals and organizations can have a cascading effect,” he added.

While Apple does not directly engage with such firms, its security updates continually respond to their evolving capabilities. The company’s latest fix suggests ongoing challenges in fully securing iOS devices against physical intrusion attempts.

“This vulnerability, though considered significantly low likelihood, carries considerable severity and should not be underestimated simply because it involves a physical attack,” said Shivraj Borade, Senior Analyst at Everest Group. “In today’s interconnected world of IoT devices, no physical device is entirely isolated.”

Borade further highlighted that mobile devices are deeply integrated with a vast ecosystem of connected devices, creating an expanding attack surface:

“Phones and laptops are frequently linked to a vast ecosystem of internet-connected devices, from compact Ethernet cables to large-scale smart vehicles, often through USB connections. These attacks could be state-sponsored, targeting high-net-worth individuals and key national figures. This vulnerability proves that no device is truly air-gapped, with the attack surface expanding more than ever.”

Apple urged customers of the said devices to update their devices with the suggested patch. This patch follows Apple’s recent fix for another zero-day vulnerability (CVE-2025-24085) that had been exploited against older iOS versions before iOS 17.2.

The broader threat of commercial spyware

Zero-day vulnerabilities in Apple’s ecosystem are highly sought after by commercial spyware vendors like NSO Group, which has been linked to government-backed surveillance operations. Spyware such as Pegasus has been used to monitor journalists, activists, and political figures worldwide.

While NSO Group claims its technology is designed to combat terrorism and serious crime, multiple reports have exposed misuse against civil society members.

Apple has been actively fighting back against such threats, previously suing NSO Group and notifying users potentially targeted by government spyware. The latest vulnerability underscores the persistent risk of highly sophisticated attacks, reinforcing the need for users to stay updated and vigilant.

Apple remains silent on further details

Apple has not yet responded to inquiries about the nature of the attack or the individuals targeted.

However, given the severity of the language used in its advisory, this case highlights a growing concern over physical access exploits that can compromise even the most secure consumer devices.

For now, security experts advise iPhone and iPad users to install the latest patches immediately and remain cautious about physical access to their devices.