Exploitation of Apple Zero-Click Vulnerability in Messages for Surveillance of Journalists via Paragon Spyware

Apple has reported a security flaw in its Messages application, designated as CVE-2025-43200, which has been actively exploited in targeted cyber attacks against members of civil society. This vulnerability, which was patched on February 10, 2025, has affected multiple operating systems, including iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1.

The flaw involved a logic issue that could be exploited through a maliciously crafted photo or video shared via an iCloud Link, which was mitigated through enhanced validation protocols. Apple acknowledged that this vulnerability might have been utilized in sophisticated attacks against specific individuals, indicating the high stakes involved.

Additionally, the updates released also addressed another actively exploited zero-day vulnerability, CVE-2025-24200. However, Apple did not disclose the existence of CVE-2025-43200 until this announcement, leaving questions about the timing of such disclosures.

Research by Citizen Lab has uncovered evidence linking this vulnerability to the targeting of Italian journalist Ciro Pellegrino and another prominent European journalist, both of whom were infected with Graphite, a mercenary spyware developed by the Israeli firm Paragon. The attacks were identified as zero-click, meaning that they could affect devices without any interaction from the users.

Citizen Lab’s analysis revealed that the spyware was introduced to the journalists’ devices through iMessages from the same Apple account, suggesting a coordinated campaign by a single user or group. On April 29, 2025, Apple notified both journalists of their targeting with advanced spyware, continuing its initiative to alert users suspected of being targeted by state-sponsored attacks since November 2021.

Graphite is capable of accessing sensitive information including messages, emails, and even microphones and cameras without requiring any actions from the user, complicating detection efforts significantly. Paragon, as a private sector offensive actor, generally markets this spyware to governmental clients under the pretext of national security needs.

The ongoing scandal surrounding the use of spyware has deepened following an instance in January where Meta-owned WhatsApp indicated that Graphite had been deployed against several users globally, including Pellegrino’s associate, Francesco Cancellato. To date, a total of seven individuals have been identified as victims of this spyware campaign.

In a related development, Paragon has terminated its contracts with the Italian government amidst controversies surrounding the legality of its spyware usage. The Italian government maintained that the decision to end the contracts was mutual, citing national security as a significant concern. A parliamentary report confirmed the use of Graphite by Italian intelligence services under legal authorization for various law enforcement purposes, although it clarified that Cancellato’s device was not among those targeted.

This situation highlights the lack of accountability surrounding the deployment of such surveillance tools, with increasing concern raised by expert organizations about the pervasive threats facing journalists and civil society amidst a growing spyware proliferation. The European Union has previously called for stricter regulations and export controls regarding commercial spyware, emphasizing the urgent need for political action in light of recent developments.

Apple’s threat notification system relies on internal intelligence mechanisms, and it is important to note that receipt of a notification does not confirm the presence of an active infection but rather suggests unusual activity indicative of a targeted attack.

Recent reports from Recorded Future’s Insikt Group indicate a resurgence in activity related to the Predator spyware, associated with Intellexa/Cytrox. This resurgence includes the identification of new customer operations, indicating a broader pattern of abuse in various countries, particularly in Africa. The increasing demand for such tools underscores the technical evolution of spyware and the challenges in enforcing regulations against its misuse.

Overall, these incidents highlight the critical need for enhanced security protocols and greater accountability in the oversight of surveillance technology, particularly as threats to personal privacy and journalistic integrity continue to evolve.