Pierluigi Paganini February 15, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple iOS and iPadOS and Mitel SIP Phones vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple iOS and iPadOS and Mitel SIP Phones vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

The two vulnerabilities are:

• CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability
• CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability

This week Apple released emergency security updates to address a zero-day vulnerability, tracked as CVE-2025-24200, that the company believes was exploited in “extremely sophisticated” targeted attacks.

An attacker could have exploited the vulnerability to disable the USB Restricted Mode “on a locked device.”

Apple’s USB Restricted Mode is a security feature introduced in iOS 11.4.1 to protect devices from unauthorized access via the Lightning port.

The USB Restricted Mode disables the data connection of the iPhone’s Lightning port after a specific interval of time, but it doesn’t interrupt the charging process. Any other data transfer would require the user to provide the passcode.

The IT giant fixed the vulnerability with improved state management.

“A physical attack may disable USB Restricted Mode on a locked device,” reads the release notes for iOS 18.3.1 and iPadOS 18.3.1. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

The zero-day impacts the following devices: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

Apple also released 17.7.5 to address the issues in iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation.

As usual, Apple did not publicly disclose details about the attacks exploiting the vulnerability or the threat actors responsible. However, the circumstance that the Citizen Lab researchers discovered the attack suggests that the threat actor may have used a zero-day exploit to deliver commercial spyware in highly targeted attacks. Such kinds of attacks often rely on zero-day exploits to target journalists, dissidents, and opposition politicians with spyware. Another possibility is that Apple is aware of physical access attacks on some of its devices, likely involving forensic tools like Cellebrite to unlock and extract data.

The second vulnerability added to the CISA KEV catalog is CVE-2024-41710, which affects Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit through R6.4.0.HF1 (R6.4.0.136).

In mid-July 2024, Mitel addressed the vulnerability with the release of firmware updates. The vendor warned that exploitation of the flaw “could allow an authenticated attacker with administrative privilege to conduct a command injection attack due to insufficient parameter sanitization during the boot process”.

A month later, the PacketLabs researcher Kyle Burns published a PoC exploit code for the vulnerability CVE-2024-41710.

At the end of January, Akamai researchers spotted a new variant of the Mirai-based botnet Aquabot that is targeting vulnerable Mitel SIP phones.

Aquabot is a Mirai-based botnet designed for DDoS attacks. Named after the “Aqua” filename, it was first reported in November 2023.

As this is the third distinct iteration of Aquabot, Akamai tracked this variant as Aquabotv3. The bot targets the command injection vulnerability CVE-2024-41710 that impacts Mitel models.

“This third iteration adds a novel activity for a Mirai-based botnet: C2 communication when the botnet catches certain signals.” reads the report published by Akamai. “This, and other notable differences in functionality, separate the two versions significantly, supporting the distinction of a third variant.”

The malware targets the flaw CVE-2024-41710 that affects Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit through R6.4.0.HF1 (R6.4.0.136).

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 5, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)