US CISA adds Apple iOS and iPados and iPados and Mitel SIP faults to its catalog of known vulnerabilities known
February 15, 2025
The American Cybersecurity and Infrastructure Safety Agency (CISA) adds Apple iOS and iPados and Mitel SIP vulnerabilities to its known vulnerability catalog.
The American Cybersecurity and Infrastructure Safety Agency (CISA) added Apple iOS and iPados and Mitel SIP phones vulnerabilities to its Known catalog of exploited vulnerabilities (KEV).
The two vulnerabilities are:
- CVE-2025-24200 IOS and iPados Apple and iPados incorrect authorization vulnerability
- CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability
This week, Apple has published emergency security updates to approach zero day vulnerability, followed as CVE-20125-24200, which, according to the company, was exploited in “extremely sophisticated” targeted attacks.
An attacker could have exploited the vulnerability to deactivate the limited USB mode “on a locked device”.
Apple USB restricted mode is a safety feature introduced in iOS 11.4.1 to protect devices against unauthorized access via the Lightning port.
The limited USB mode deactivates the data connection of the Lightning Port of the iPhone after a specific time interval, but it does not interrupt the load process. Any other data transfer would force the user to provide the password.
The computer giant has set vulnerability with better state management.
“A physical attack can deactivate the limited USB mode on a locked device”, reads the version notes for iOS 18.3.1 and iPados 18.3.1. “Apple is aware of a report that this problem may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
The Zero-Day day has an impact and later, and iPad Mini 5th generation and later.
Apple has also published 17.7.5 To solve problems in iPad Pro 12.9 inch 2nd generation, iPad Pro 10.5 inch and 6th generation iPad.
As usual, Apple has not publicly disclosed details on attacks exploiting vulnerability or responsible threat actors. However, the circumstance that Labor Citizen researchers discovered the attack suggests that the threat actor could have used a zero day feat to deliver commercial spy software in very targeted attacks. These types of attacks are often based on zero-day exploits to target journalists, dissidents and opposition politicians with spy software. Another possibility is that Apple is aware of the physical access attacks on some of its devices, probably involving forensic tools such as CelBrite to unlock and extract data.
The second vulnerability added to the Cisa Kev catalog is CVE-2024-41710, which affects the SIP Mitel 6800 SIP phones, 6900 and 6900W, including the conference unit 6970 via R6.4.0.HF1 (R6.4.0.136) .
In mid-July 2024, Mitel approached vulnerability with the release of firmware updates. The seller warned that the exploitation of the flaw “could allow an authenticated administrative privilege attacker to carry out an order injection attack due to disinfection by insufficient parameters during the start -up process”.
A month later, researcher Packetlabs, Kyle Burns, published a POC operating code For vulnerability CVE-2024-41710.
At the end of January, Akamai researchers spotted A new variant of the Aquabot Botnet based on Mirai that targets vulnerable SIP Mitel phones.
Aquabot is a Botnet based in Mirai designed for DDOS attacks. Appointed according to the “Aqua” file name, it was the first reported in November 2023.
As this is the third distinct iteration of Aquabot, Akamai followed this variant as Aquabotv3. The bot targets the vulnerability of control injection CVE-2024-41710 This has an impact on Mitel models.
“This third iteration adds a new activity for Botnet communication based on Mirai: C2 when the botnet catches certain signals.” reads it report Posted by Akamai. “This, and other notable differences in functionality, considerably separate the two versions, supporting the distinction of a third variant.”
Malware targets the CVE-2024-41710 defect which affects the SIP MITEL 6800, 6900 and 6900W SIP phones, including the conference unit 6970 via R6.4.0.HF1 (R6.4.0.136).
According to Operational connection directive (BOD) 22-01: Reduction of the significant risk of known vulnerabilities knownFCEB agencies must address the vulnerabilities identified by the due date to protect their networks against attacks operating the catalog defects.
Experts also recommend private organizations to examine Catalog and respond to the vulnerabilities of their infrastructure.
The CISA orders federal agencies to repair this vulnerability by March 5, 2025.
Follow me on Twitter: @Securityaffairs And Facebook And Mastodon
(Safety – hacking, cisa)
