CISA Warns of iOS 0-Click Vulnerability Exploited in the Wild

CISA has added a critical iOS zero-click vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw has been actively exploited by sophisticated mercenary spyware in targeted attacks against journalists. 

The vulnerability, tracked as CVE-2025-43200, affects multiple Apple products, including iOS, iPadOS, macOS, watchOS, and visionOS, allowing attackers to compromise devices without any user interaction through maliciously crafted photos or videos shared via iCloud Links.

Zero-Click Exploit Targets Apple Devices via iCloud Links

The vulnerability represents a significant security concern as it enables zero-click attacks, where no user interaction is required for successful device compromise. 

CVE-2025-43200 specifically targets Apple’s media processing functionality when handling content shared through iCloud Links, creating an attack vector that bypasses traditional user awareness and security measures. 

CISA added this vulnerability to the KEV catalog on June 16, 2025, establishing a remediation deadline of July 7, 2025, for federal agencies and recommending immediate action for all organizations.

The technical nature of this exploit makes it particularly dangerous, as victims have no indication of compromise during the attack process. 

Unlike traditional malware that requires user clicks or downloads, this zero-click vulnerability automatically executes when the target device processes the malicious media content. 

The attack methodology demonstrates the sophisticated capabilities of modern mercenary spyware operations that can bypass Apple’s robust security architecture.

Citizen Lab researchers have confirmed that the Graphite spyware, developed by Paragon Solutions, exploited CVE-2025-43200 to target at least three European journalists through iMessage delivery mechanisms. 

Forensic analysis revealed that an attacker account, designated as “ATTACKER1” by researchers, systematically deployed the zero-click exploit against multiple targets using Apple’s messaging platform as the primary attack vector.

The confirmed targets include Italian journalist Ciro Pellegrino, head of the Naples newsroom at Fanpage.it, and Francesco Cancellato, another journalist from the same organization. 

Both journalists received Apple security notifications on April 29, 2025, alerting them to potential advanced spyware compromises. 

Subsequent forensic examination confirmed the presence of Graphite spyware artifacts on their devices, indicating successful compromise and potential data exfiltration.

Technical analysis of the compromised devices revealed connections to infrastructure associated with IP address 46.183.184.91, hosted on VPS provider EDIS Global. 

This server maintained characteristics matching Citizen Lab’s “Fingerprint P1” identifier until at least April 12, 2025, providing researchers with crucial attribution evidence linking the attacks to Paragon’s spyware operations.

Patch Available

Apple addressed CVE-2025-43200 in iOS 18.3.1, effectively mitigating the zero-click attack vector used by Graphite spyware. 

However, devices running earlier iOS versions remained vulnerable throughout early 2025, emphasizing the critical importance of maintaining current software versions across all Apple products. 

The company’s security bulletin confirms that the vulnerability allowed arbitrary code execution through maliciously crafted media files processed via iCloud sharing mechanisms.

The incident highlights the ongoing “spyware crisis” affecting journalists globally, with mercenary surveillance tools increasingly targeting media professionals and civil society organizations. 

Security experts recommend that individuals who receive spyware warnings from Apple, Meta, WhatsApp, or Google treat these alerts seriously and seek assistance from organizations like Access Now’s Digital Security Helpline or Amnesty International’s Security Lab.

Organizations should immediately implement CISA’s recommended mitigations, including applying vendor security updates and following applicable Binding Operational Directive 22-01 guidance for cloud services, to protect against this and similar sophisticated attack vectors.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar