A critical vulnerability in Apple’s iOS activation backend allows injection of unauthenticated XML .plist payloads during the device setup phase.
The flaw permits arbitrary provisioning changes without authentication, signature verification, or error feedback — exposing devices to pre-activation tampering and persistent configuration manipulation.
- Vendor: Apple
- Product: iOS Activation Infrastructure
- Endpoint:
https://humb.apple.com/humbug/baa(Apple internal)
- The server at
https://humb.apple.com/humbug/baaaccepts unauthenticated XML payloads. - This enables silent provisioning changes during activation.
- Impacts include: - Modem configuration - CloudKit token behavior - Carrier-level protocol enforcement
- Supply chain compromise potential
- Bypasses enterprise MDM and hardening policies
- Persistent, pre-user compromise vector during the trusted setup phase
Disclosure Timeline
- 05/19/2025 reported to Apple & US Cert (tracking ID VRF#25-05-RCKYK)
If activation can be hijacked, no iPhone is safe from day one. A silent attacker could pre-configure networks, tokens, or carrier rules before the user ever sees the home screen. Trust in Apple’s entire supply chain depends on this step being secure.