iOS Zero Click Flaw Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert following the discovery and active exploitation of a critical zero-click vulnerability in Apple’s ecosystem, tracked as CVE-2025-43200.

This flaw, now patched, enabled attackers to compromise iOS, iPadOS, macOS, watchOS, and visionOS devices without any user interaction, raising alarms across the cybersecurity and journalism communities.

How the Attack Worked

The vulnerability stemmed from a logic issue in Apple’s Messages app, specifically when processing maliciously crafted photos or videos shared via iCloud Links.

Attackers could exploit this flaw to install spyware simply by sending a booby-trapped media file to a target’s device—no click or user action was required.

Once triggered, the exploit allowed remote code execution and full device compromise, all without the victim’s knowledge or any visible signs of infection.

Paragon’s Graphite Spyware: Journalists Targeted

Citizen Lab, a leading digital rights research group, uncovered forensic evidence that the advanced mercenary spyware “Graphite,” developed by Israeli firm Paragon Solutions, was deployed using this zero-click vulnerability.

At least three European journalists, including Italian reporter Ciro Pellegrino and a prominent unnamed European journalist, were confirmed as targets.

Two cases were forensically verified: both journalists received Apple threat notifications on April 29, 2025, alerting them to the compromise.

The attack infrastructure was traced to a command-and-control server (IP: 46.183.184[.]91), linked to Paragon’s spyware operations.

The same iMessage account, dubbed “ATTACKER1,” was used to deliver the exploit to multiple targets, suggesting a single operator or customer behind the campaign.

The spyware campaign has sparked controversy, particularly in Italy, where the government’s intelligence oversight committee (COPASIR) acknowledged the use of Paragon’s Graphite spyware but denied knowledge of who targeted certain journalists.

The Italian government has since severed ties with Paragon amid growing scrutiny and calls for greater oversight of commercial surveillance tools.

Graphite spyware is capable of accessing messages, emails, photos, location data, and activating microphones and cameras—posing severe risks to journalistic sources and press freedom.

Apple’s Response and Urgent Recommendations

Apple patched CVE-2025-43200 in iOS 18.3.1 and related updates released on February 10, 2025, but did not publicly disclose the exploit’s details until June, after Citizen Lab’s findings. Devices running earlier versions remained vulnerable through early 2025.

CISA has mandated all U.S. federal agencies to apply mitigations by July 7, 2025, following vendor instructions or discontinue use if mitigations are unavailable. 

All users are strongly advised to update their Apple devices immediately.

Individuals who receive threat notifications from Apple, Meta, WhatsApp, or Google should take them seriously and seek expert assistance from organizations such as Access Now’s Digital Security Helpline or Amnesty International’s Security Lab. 

These warnings indicate a high likelihood of being individually targeted by sophisticated mercenary spyware.

This incident underscores the escalating threat posed by commercial spyware to journalists and civil society worldwide.

The lack of accountability and transparency in the use of such tools highlights the urgent need for stronger regulatory oversight and protection of press freedom.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates