CVE-2025-24104

MEDIUM

iPadOS < 17.7.4 and < 18.3 - Arbitrary File Write via Malicious Backup Restore

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-24104. PoCs published by ifpdz, missaels235.

AI-analyzed exploit summary The repository contains a detailed writeup for CVE-2025-24104, describing a symlink validation flaw in Apple's backup restoration process that allows reading arbitrary files outside the sandbox. The vulnerability was patched in iOS 18.3 beta 1.

Description

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4. Restoring a maliciously crafted backup file may lead to modification of protected system files.

Exploits (2)

nomisec WRITEUP 51 stars

by ifpdz · poc

https://github.com/ifpdz/CVE-2025-24104

View Code ZIP pw:eip

The repository contains a detailed writeup for CVE-2025-24104, describing a symlink validation flaw in Apple's backup restoration process that allows reading arbitrary files outside the sandbox. The vulnerability was patched in iOS 18.3 beta 1.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apple iOS (versions prior to 18.3 beta 1)

No auth needed

Prerequisites: Ability to craft and restore a malicious backup · Access to a lockdown connection to send the GetCloudConfiguration command

MITRE ATT&CK

T1005 - Data from Local System T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by missaels235 · poc

https://github.com/missaels235/POC-CVE-2025-24104-Py

View Code ZIP pw:eip

This PoC exploits a vulnerability in iOS backup manipulation to exfiltrate sensitive files by replacing a configuration plist with a symlink. It checks for vulnerable iOS versions and prepares a malicious backup.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apple iOS (versions prior to 18.3)

Auth required

Prerequisites: Physical access to the device or trusted connection via USB · libimobiledevice and idevicebackup2 installed · Python dependencies (usbmux-python, python-lockdown, packaging)

MITRE ATT&CK

T1005 - Data from Local System T1059.006 - Python

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Release Notes, Vendor Advisory

https://support.apple.com/en-us/122066

Release Notes, Vendor Advisory

https://support.apple.com/en-us/122067

Mailing List

http://seclists.org/fulldisclosure/2025/Jan/14

Scores

CVSS v3 5.5

EPSS 0.0143

EPSS Percentile 69.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-59

Status published

Products (4)

Apple/iOS and iPadOS < 18.3

apple/ipados < 17.7.4

Apple/iPadOS < 17.7.4

apple/iphone_os < 18.3

Published Jan 27, 2025

Tracked Since Feb 18, 2026