A security researcher has uncovered a critical vulnerability in iOS, Apple’s flagship mobile operating system.
The flaw, CVE-2025-24091, which leverages the long-standing but little-known “Darwin notification” system, allows any app-including those confined by Apple’s usually strict sandbox restrictions push the entire device into an inescapable “restore in progress” state with a single line of code.
The Heart of the Vulnerability
The discovery centers around Darwin notifications, a legacy API deeply embedded within Apple’s CoreOS layer.
.png
)
While most iOS developers are familiar with mechanisms like NSNotificationCenter for intra-app communication, Darwin notifications enable low-level messaging not only without special privileges but also across process boundaries-meaning virtually any app can send or receive these signals.
The crux of the problem is that this API, intended for legitimate system-wide notifications, lacks any sender verification or privilege gating.
That means a third-party app can send the same critical notifications as trusted system processes.
The Proof of Concept: ‘EvilNotify’
The security researcher, in the course of inspecting system processes on a beta version of iOS 18, devised a proof-of-concept app dubbed “EvilNotify.”
By triggering various Darwin notifications, the app demonstrated the troubling breadth of its power: from showing the liquid detection icon to blocking Control Center, forcing cellular over Wi-Fi, and even simulating the activation of Apple’s “Lost Mode.”
But the most destructive action required only a single, innocuous-looking function call:
notify_post("com.apple.MobileSync.BackupAgent.RestoreStarted")This line tricks the system into believing a device restore from backup is underway-a state that freezes virtually all user interactions and persists until the user is forced to restart the device.
Taking the exploit further, the researcher leveraged iOS’s widget extension framework, which allows code to run at system startup-even before a device is fully unlocked.
By embedding the malicious notification into a widget extension and inducing repeated crashes, the extension is repeatedly re-invoked by the system.
The device becomes stuck in an endless loop. Immediately after each reboot, the fake restore is triggered anew-effectively “soft-bricking” the phone.
The only solution is a full device erase and restore from backup. If the infected app is included in the backup, the cycle can begin again, leading to a persistent denial of service.
The main cause lies in Apple’s trust in legacy APIs and the absence of access control or sender authentication for Darwin notifications.
While originally designed for benign system communication, their misuse now exposes the entire device to catastrophic failure-with just one line of code.
Upon confirming the exploit, the researcher responsibly disclosed the vulnerability to Apple. As of publication, there is no public confirmation of a patch.
Users are advised to be cautious about installing apps from unfamiliar sources and to avoid beta versions of iOS on critical devices.
As the iOS ecosystem grows more complex, even a single line of code can have devastating, system-wide impacts.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
