Critical Bug Fixed in iOS: A Single Line of Code Addressed Device Lockouts

Tue 29th Apr, 2025

Apple recently addressed a significant security flaw in its iOS operating system with the release of iOS 18.4. The vulnerability, which was linked to a legacy API, had the potential to render iPhones inoperable, a situation commonly referred to as 'bricking.'

The issue, identified by security researcher Guilherme Rambo, involved the misuse of Darwin Notifications, which allowed malicious actors to disable devices. This flaw, cataloged under CVE-2025-24095, exemplified a legacy problem that re-emerged after a period of dormancy.

According to Rambo, the exploit was particularly alarming due to its simplicity. It leveraged a public legacy API that many of Apple's core components still depend on. Unlike modern notification systems, Darwin Notifications operate at a low level and facilitate straightforward message exchanges between processes.

The crux of the problem lay in the ability to send Darwin Notifications system-wide without requiring additional privileges or specific entitlements that Apple typically employs for security measures. One major risk was that attackers could trigger powerful system functions, including the 'Restore in Progress' mode. This could be achieved with a single command, causing the device to freeze and necessitating a reboot by the user.

Rambo showcased a proof-of-concept exploit, dubbed 'VeryEvilNotify,' which he implemented through a widget extension for iOS. These widgets, which are routinely activated as background processes, could effectively 'brick' the device. When the widget invoked the 'Restore in Progress' function, the user would need to restart the device, only to have the widget trigger again, creating a loop that could only be escaped by promptly deleting the widget post-reboot.

It remains uncertain whether such code would have passed Apple's App Store review process or been flagged by the company's software scanners. Prior to Rambo's report, the ability to send and receive Darwin Notifications did not require special system privileges, and there was no mechanism to identify the sender process. However, the vulnerability was effectively patched in iOS 18.4, iPadOS 18.4, and visionOS 2.4. The fix involved requiring specific entitlements for sending Darwin Notifications.

Importantly, Rambo noted that this exploit had not been observed in the wild, but users are still advised to update their devices to iOS 18.4.1, which addresses another critical vulnerability.


More Quick Read Articles »