A critical vulnerability in iOS (CVE-2025-24091) allowed any sandboxed application or widget extension to send low-level Darwin notifications that forced devices into a “Restore in Progress” state, triggering an endless reboot loop. The exploit—just a single line of code—bricked affected iPhones and iPads running versions prior to iOS/iPadOS 18.3, rendering them unusable without a full system restore. The persistent nature of the proof-of-concept attack, implemented in a widget that automatically relaunched on restart, meant devices would immediately reenter the reboot cycle upon each reboot, effectively denying service indefinitely. End users faced downtime, data loss risk if backups were outdated, increased support calls and repair costs, and potential reputational damage for enterprises relying on vulnerable devices. Apple released iOS 18.3 to address the issue with new entitlements on Darwin notifications and awarded a $17,500 bug bounty to the researcher.
Source: https://cybersecuritynews.com/ios-critical-vulnerability-brick-iphones/
TPRM report: https://scoringcyber.rankiteo.com/company/apple
"id": "app720042825",
"linkid": "apple",
"type": "Vulnerability",
"date": "4/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"