Apple has patched a dangerous zero-click security flaw in its Messages app that was actively used to spy on journalists using advanced spyware called Graphite, developed by Israeli firm Paragon.
The critical vulnerability, tracked as CVE-2025-43200, was found in Apple’s Messages app and allowed attackers to compromise iPhones, iPads, and Macs without the user clicking on anything. Apple released a security update on February 10, 2025, to fix this flaw in multiple operating systems, including:
According to Apple, the flaw stemmed from a logic issue that occurred when handling a malicious image or video shared via iCloud Links. The company stated it had implemented better security checks to resolve the issue.
What makes this vulnerability extremely dangerous is that it was zero-click, meaning attackers could compromise the device without any user interaction. Apple confirmed that the bug may have been actively exploited in highly targeted cyberattacks.
Apple has not released many technical details about the attacks. However, Citizen Lab, a digital watchdog group based at the University of Toronto, reported that this exploit was used to target at least two journalists in Europe:
Ciro Pellegrino, an Italian journalist
Another unnamed European journalist
The attackers used a spyware tool called Graphite, which is developed by Paragon, a private Israeli cyber intelligence firm. This spyware is powerful—it can access a user’s messages, emails, camera, microphone, and location—all without the user knowing or doing anything.
Citizen Lab noted that the infected journalist’s iPhone was running iOS 18.2.1 during the attack in January and February 2025, and that no signs of the infection were visible to the user.
According to Citizen Lab researchers Bill Marczak and John Scott-Railton, the spyware was deployed using iMessages sent from a single Apple ID, which they codenamed “ATTACKER1.” This suggests that both journalists were likely targeted by the same customer of Paragon.
Apple notified the victims on April 29, 2025, through its threat notification system, which it has used since 2021 to warn users targeted by state-sponsored attackers.
Graphite is a surveillance tool sold to governments. It allows remote access to personal data on a device and is typically marketed for national security purposes. However, in this case, the spyware was used to monitor members of the media, raising serious human rights and privacy concerns.
Graphite’s infection process leaves minimal trace, making it hard to detect and prevent. The tool is sold under contractual agreements, and Paragon claims its use should comply with national laws.
This incident follows earlier reports from WhatsApp, which is owned by Meta. In January 2025, WhatsApp revealed that Graphite spyware had been used against dozens of users, including Pellegrino’s colleague Francesco Cancellato.
In total, seven individuals have now been publicly identified as targets of Paragon’s spyware.
Paragon has since terminated its contract with the Italian government, citing Italy’s refusal to let the company independently verify whether the spyware had been used unlawfully against the journalists.
While Paragon says it offered Italy a chance to prove lawful use, the Italian government denied the request, citing national security.
Italy’s Parliamentary Committee for the Security of the Republic (COPASIR) released a report confirming that both foreign and domestic intelligence agencies had used Graphite against a limited number of individuals with proper legal approvals.
The spyware was reportedly used in investigations related to:
Tracking fugitives
Combating illegal immigration
Counter-terrorism
Fighting organized crime
Preventing fuel smuggling
Conducting counter-espionage
However, the report stated that Francesco Cancellato’s phone was not targeted, leaving unanswered questions about who authorized the spyware attack on him.
Interestingly, the report also revealed that each Graphite deployment is logged, and the logs are stored on servers controlled by the client, not Paragon. This design raises serious concerns about accountability and oversight.
Citizen Lab emphasized that this case highlights the lack of protections for journalists and others vulnerable to invasive spyware attacks. It called for stronger regulations to stop the unchecked spread of commercial spyware.
The European Union has already expressed concern about this issue and may now face increased pressure to enforce export controls and legal safeguards for such technologies.
Apple’s threat notification system uses internal signals to detect and warn users of possible targeted spyware attacks. However, Apple admits that not every attack may be detected, and that receiving an alert doesn’t always mean the device is infected, only that suspicious activity was observed.
In a related development, Recorded Future’s Insikt Group reported a resurgence of Predator spyware, another advanced surveillance tool linked to Israeli vendor Intellexa/Cytrox. Predator has been observed targeting individuals across multiple countries, including:
Mozambique, Armenia, Saudi Arabia, Kazakhstan, Egypt, and more.
The report points to a high concentration of Predator customers in Africa and hints at sophisticated evasion tactics being used by spyware vendors to bypass sanctions and regulatory scrutiny.
Interesting Article : CVE-2025-32711, AI-Powered Microsoft 365 Copilot Hit by Zero-Click Flaw
Pingback: DevOps Alert: Grafana Exploit Exposes Over 46,000 Servers to Account Takeover