CVE-2025-24104 - How a Malicious iPhone Backup Could Hijack System Files (And How Apple Fixed It)

Security vulnerabilities sometimes strike where few expect them: in tools we use for protection and recovery. CVE-2025-24104 is one such case, impacting the way iOS, iPadOS, and their backups handle symlinks (symbolic links). In this long read, we break down the issue, how attackers could exploit it, the fix Apple applied, and what you should do.

What is CVE-2025-24104?

CVE-2025-24104 is a privilege escalation and file modification bug in iOS and iPadOS, disclosed by Apple in early 2024. The vulnerability exists in how the OS handles symbolic links present inside backup files when restoring a backup to a device.

- Affected versions: iOS/iPadOS before 18.3 and iPadOS 17.7.4.

Fixed in: iPadOS 17.7.4, iOS 18.3, and iPadOS 18.3.

- Impact: Restoring a deliberately crafted backup could overwrite or tamper with protected system files—something even malware or most apps cannot normally do.

👉 Simple terms: Plugging in a backup made by someone else could break, backdoor, or hijack your device at the system level.

The Danger Explained

Most people use backups (via iTunes or Finder) thinking they’re safe. But, if a backup file includes symbolic links (symlinks), and the OS restoring from backup doesn’t check—or blocks—where those links point, then backup files could be a backdoor.

What’s a symlink?
A symbolic link is like a shortcut. For example, a file note.txt can actually be a symlink pointing to /etc/passwd (on Linux) or any system file.

The Problem

An attacker creates a backup that contains symlinks instead of normal files.

- When this backup is restored, the operating system might follow the symlink paths and overwrite or modify files outside the backup sandbox—possibly crucial system files!

Create a Malicious Backup:

Using backup tools (like libimobiledevice), an attacker crafts a backup with one or more files replaced by symlinks to protected system locations.

Trick the User:

Convince someone to restore this backup (maybe under the pretense of recovering data or via a swapped device).

Backdoor or Brick the Device:

Upon restore, system files are overwritten or “planted” with the attacker's data (scripts, backdoors, or corrupted files), possibly leading to escalating privileges, persistent malware, or a nonbooting device.

Realistic Example

Imagine replacing the Notes database in the backup with a symlink pointing to /System/Library/CoreServices/SystemVersion.plist. When restored, the Notes “data” would overwrite or modify core system version files. Replace with a backdoored config, and your phone is compromised at the OS level.

1. Create a symlink in backup folder

cd ~/Backups/Device123/Documents/
ln -s /private/var/root/.ssh/authorized_keys notes.db

This command means that the backup's notes.db doesn't really “exist” but is a pointer to another file — possibly a system or security file.

Suppose you're scripting backup restoration

import os
import shutil

# Path to malicious backup folder
malicious_backup = '/tmp/malicious_backup/'

# Symlink: Connect note file to protected file
os.symlink('/System/Library/CoreServices/SystemVersion.plist', 
           os.path.join(malicious_backup, 'AppData/notes.db'))
# Now package or load this backup into iTunes

3. Device restores backup

On restore, if the OS doesn't validate symlinks, SystemVersion.plist can be overwritten—leading to device malfunction or takeover.

Backup data is properly sanitized.

Mitigation:
Restoring a backup cannot overwrite files outside the expected scope, even if symlinks are present.

Apple advisory:
> “This issue was addressed with improved handling of symlinks. This issue is fixed in iPadOS 17.7.4, iOS 18.3 and iPadOS 18.3. Restoring a maliciously crafted backup file may lead to modification of protected system files.”
→ Apple Security Updates

Update Now

If you’re running an iPhone, iPad or iPod, update to the latest version: iOS/iPadOS 18.3+ or iPadOS 17.7.4+.

Only Restore Trusted Backups

Never accept a backup file from a stranger, online sources, or even dubious “tech support.” Stick to your own backups, made on your own hardware.

Re-check Restores after Suspicious Behavior

If your device misbehaves after a restore, consider erasing and setting up as new—not from a possibly tainted backup.

Security Professionals:

If analyzing devices for forensics, always confirm the integrity of the backup data before restoring.

Apple Security Release Note:

About the security content of iOS 18.3 and iPadOS 18.3

Mitre CVE Entry for CVE-2025-24104:

CVE-2025-24104 on Mitre.org *(if available)*

Symlink Attacks Explained:

OWASP: Filesystem attacks

Summary

CVE-2025-24104 is a subtle yet potentially devastating bug: by mishandling symlinks in backup files, past iOS/iPadOS versions allowed attackers to modify protected system files during restore. Thankfully, Apple patched this with iPadOS 17.7.4 and iOS 18.3. The takeaway? Always update, and only restore backups you trust. Even your backups can bite.

Timeline

Published on: 01/27/2025 22:15:15 UTC
Last modified on: 02/05/2025 15:15:22 UTC