Apple has confirmed that a zero-click vulnerability in its Messages app, tracked as CVE-2025-43200, was actively exploited to deploy Paragon's Graphite spyware against journalists. This sophisticated attack allowed compromise of devices without user interaction, highlighting the persistent threat posed by mercenary spyware to civil society and underscoring the ongoing cat-and-mouse game between tech giants and surveillance vendors.

Apple Zero-Click Flaw Exposes Journalists to Spyware

Apple recently disclosed that a critical zero-click vulnerability within its Messages application (CVE-2025-43200) was actively exploited in the wild. This flaw allowed attackers to install sophisticated mercenary spyware, specifically Paragon's Graphite, onto targeted devices without any user interaction. The vulnerability, which involved a logic issue when processing maliciously crafted photos or videos via iCloud Link, was patched on February 10, 2025, with the release of iOS 18.3.1 and other related updates.

Citizen Lab Uncovers Spyware Campaign

The Citizen Lab, an interdisciplinary research center, played a pivotal role in uncovering the extent of this exploitation. Their forensic analysis provided the first public proof that Paragon's Graphite spyware was used to compromise iPhones. The investigation revealed that at least two European journalists, Italian journalist Ciro Pellegrino and another prominent unnamed European journalist, were targeted. Both individuals received threat notifications from Apple on April 29, 2025, indicating potential state-sponsored attacks.

Key Takeaways

• Zero-Click Exploitation: The vulnerability allowed for device compromise without any user interaction, making it extremely difficult for victims to detect.

• Paragon's Graphite Spyware: This incident marks the first confirmed instance of Paragon's Graphite spyware successfully compromising an Apple device.

• Targeted Journalists: The attacks specifically targeted journalists, raising concerns about press freedom and the abuse of surveillance technology.

• Shared Attack Infrastructure: Researchers found that the same iMessage account, dubbed "ATTACKER1," was used to deliver the exploit to both journalists, suggesting a single operator or customer of Paragon.

• Apple's Response: Apple patched the vulnerability in February 2025 but only publicly acknowledged its exploitation after Citizen Lab's report.

The Broader Implications of Mercenary Spyware

This incident further highlights the problematic nature of the commercial surveillance industry. Paragon Solutions, an Israeli firm, has faced scrutiny, drawing comparisons to NSO Group, the maker of Pegasus spyware. The case has also sparked controversy in Italy, where a parliamentary committee acknowledged the government's use of Paragon spyware in other contexts. The targeting of journalists has led to a public dispute between Paragon and Italian officials regarding responsibility for alleged misuse. The European Commission has issued warnings against illegal data access, and WhatsApp previously sent a cease-and-desist letter to Paragon over other targeting attempts. This ongoing struggle underscores the urgent need for stronger regulatory oversight and accountability within the global spyware market to protect civil liberties and press freedom.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Paragon spyware activity found on more journalists’ devices, The Record from Recorded Future News.

• Apple Confirms iPhone Flaw Was Used to Spy on Journalists, WinBuzzer.

• Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware, The Hacker News.

• Apple Quietly Fixed Zero-Day Exploit Used in Paragon Spyware Attack, MacRumors.

• WhatsApp disrupted a hacking campaign targeting journalists with Paragon spyware, Security Affairs.