I’ve published a report detailing a critical, unpatched vulnerability in Apple’s iOS activation infrastructure.

It affects all iPhones during initial setup — even after a factory reset, with no jailbreak, no Apple ID, and no MDM.

Key Findings:

• The Apple endpoint https://humb.apple.com/humbug/baa accepts unauthenticated XML provisioning payloads
• The server responds with HTTP 200 OK and applies persistent, device-level configuration changes
• Exploit triggers during activation, before the user reaches the home screen
• Alters:
  • Modem policy settings
  • Carrier protocol enforcement
  • CloudKit account behavior and caching
• Changes persist across reboots and can’t be reverted through Settings

Impact:

• Bypasses traditional mobile device management and security controls
• Opens the door to silent pre-provisioning by third parties
• Allows long-term, pre-user compromise of trust infrastructure
• Mirrors unknown behaviors observed in certain iOS surveillance incidents

This was submitted to US-CERT (VRF#25-05-RCKYK), Apple, and CNVD. No remediation to date.
I’m sharing this to inform the security community and to preserve the discovery.