Apple’s security patch highlights the growing security threat

Apple’s platforms may be more secure by design than others, but that doesn’t make them invulnerable to attack. That’s why every user should install the company’s latest security patch — it fixes a hole Apple says may already have been in active use.

It is important to note that the attack seems to be one that requires direct, physical access to the target device. But iPhones, Macs, and iPads all seem to be vulnerable. 

Update your devices today

The language used in the company’s description of the patch (CVE-2025-24085) is notably more urgent than usual. Introducing it, Apple states: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

Adam Boynton, senior security strategy manager at Jamf, has said the flaw could potentially let attackers gain full admin access to a hacked device.

The indictions are that this vulnerability formed part of highly targeted attacks. It is also important to note that Apple has published software patches to protect against this vulnerability for several older Mac operating systems, including macOS Sequoia, Sonoma, and Ventura. Patches for older iPads, Apple Watch and Vision OS devices were also made available.

Was this a state actor?

The description strongly hints the vulnerability may have been actively used in major attacks to sidestep USB-based attacks, enabling unauthorized USB devices to be used to exfiltrate user data. So does the discoverer of the flaw, Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School.

What makes this feel a little worse is that Apple is “aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.”

While additional information is not provided — Apple likes to limit what it reveals so assailants are kept in the dark as to how it deploys improved protection — it is reasonable to see this as a big red flag reflecting the current threat environment.

Look at recent security scares across multiple platforms and it becomes clear that nation-state attacks are intensifying, that surveillance-as-a-service firms continue to be a near and present threat, and ill-thought-through moves by some governments will eventually make things even more insecure.

No one is secure until everyone is secure

Take the power-crazed authoritarianism of the recent UK government move to demand Apple open up the iCloud data of billions to surveillance by UK authorities. Other than the color of the national flag, there is no difference between the potential abuse of the back door the UK now demands from Apple and the US-mandated door recently exploited by allegedly Chinese terrorists. As almost every security expert universally agrees, there is no such thing as a safe back door. The keys will proliferate, the cost of mounting attacks shrink, and eventually there is no security left at all.

That’s what seems to be important about Apple’s latest update; it seems designed to put a stop to at least one attack vector that could be exploited by sophisticated attackers. That’s why the company referred to “an extremely sophisticated attack against specific targeted individuals.” 

The threat against individuals also deserves to be contextualized. Nation-state attackers are increasingly targeting operational infrastructure (OT) and in those exploits individual security becomes a link in complex, planned excursions to penetrate trusted, vital systems. That’s everything from road transport management to smart factories. An individual might not be the final target, but their security — or lack of it — is a link in a chain of attacks to undermine OT security.

In other words, by making individuals less safe, weak security makes everything else less safe, including nations, economies, manufacturing, transit systems and more.

Protecting those assets is in every nation’s interest, which is why Apple has pushed out this patch, why you should install it, and why any nation plotting to weaken security for any reason should think more than twice before doing so. There is no such thing as a safe back door — and no one using confidential data should ever use a public USB charging system, just in case there’s a monster within.

In the meantime, install Apple security updates as they appear. Just because you don’t happen to be a high-value target doesn’t mean you have not been identified as part of a potential route to attack one. 

You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon, and MeWe.