CVE-2025-24203

MEDIUM

iPadOS < 17.7.6 - Arbitrary File System Modification

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-24203. PoCs published by jailbreakdotparty, GeoSn0w, pxx917144686.

AI-analyzed exploit summary This repository provides a toolbox that leverages CVE-2025-24203 to temporarily disable or modify iOS system files in memory, offering various customization tweaks for iOS 16.0 to 18.3.2. The exploit does not persist across reboots and requires a respring to apply changes.

Description

The issue was addressed with improved checks. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. An app may be able to modify protected parts of the file system.

Exploits (4)

nomisec WORKING POC 288 stars

by jailbreakdotparty · poc

https://github.com/jailbreakdotparty/dirtyZero

View Code ZIP pw:eip

This repository provides a toolbox that leverages CVE-2025-24203 to temporarily disable or modify iOS system files in memory, offering various customization tweaks for iOS 16.0 to 18.3.2. The exploit does not persist across reboots and requires a respring to apply changes.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: iOS 16.0 - 18.3.2

No auth needed

Prerequisites: iOS device running a vulnerable version · Ability to sideload the IPA

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 40 stars

by GeoSn0w · poc

https://github.com/GeoSn0w/CVE-2025-24203-iOS-Exploit-With-Error-Logging

View Code ZIP pw:eip

This is a privilege escalation exploit for CVE-2025-24203 targeting iOS 16.0 to 18.3.2, leveraging memory manipulation via `vm_behavior_set` and `mlock` to achieve effects similar to MacDirtyCow. The PoC includes improved error logging for research purposes.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: iOS 16.0 - 18.3.2

No auth needed

Prerequisites: Access to the target iOS device · Ability to execute arbitrary code on the device

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 22 stars

by pxx917144686 · poc

https://github.com/pxx917144686/iDevice_ZH

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2025-24203, a vulnerability in XNU's VM_BEHAVIOR_ZERO_WIRED_PAGES that allows writing to read-only pages by leveraging mlock and vm_deallocate to zero out physical memory pages. The exploit demonstrates how to modify read-only, root-owned files on iOS 16.0 to 18.3.2.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Apple XNU kernel (iOS 16.0 - 18.3.2, macOS 15.2)

No auth needed

Prerequisites: Access to a vulnerable iOS/macOS device · Ability to compile and run C code on the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-24203

View Code ZIP pw:eip

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and functional code.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN

No auth needed

Prerequisites: network access to the target device

MITRE ATT&CK