Apple has disclosed that a now-patched security flaw present in its Messages app was actively exploited in the wild to target civil society members in sophisticated cyber attacks.
The vulnerability, tracked as CVE-2025-43200, was addressed on February 10, 2025, as part of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1.
“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,” the company said in an advisory, adding the vulnerability was addressed with improved checks.
The iPhone maker also acknowledged that it’s aware the vulnerability “may have been exploited in an extremely sophisticated attack against specifically targeted individuals.”
It’s worth noting that the iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 updates also resolved another actively exploited zero-day tracked as CVE-2025-24200. It’s currently not known why Apple chose not to disclose the existence of this flaw until now.
While Apple did not share any further details of the nature of the attacks weaponizing CVE-2025-43200, the Citizen Lab said it unearthed forensic evidence that the shortcoming was leveraged to target Italian journalist Ciro Pellegrino and an unnamed prominent European journalist and infect them with Paragon’s Graphite mercenary spyware.
The interdisciplinary research center described the attack as zero-click, meaning the vulnerability could be triggered on targeted devices without requiring any user interaction.
“One of the journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1,” researchers Bill Marczak and John Scott-Railton said. “We believe that this infection would not have been visible to the target.”
Both individuals were notified on April 29, 2025, by Apple that they were targeted with advanced spyware. Apple began sending threat notifications to alert users it suspects have been targeted by state-sponsored attackers starting November 2021.
Graphite is a surveillance tool developed by the Israeli private sector offensive actor (PSOA) Paragon. It can access messages, emails, cameras, microphones, and location data without any user action, making detection and prevention especially difficult. The spyware is typically deployed by government clients under the guise of national security investigations.
The Citizen Lab said the two journalists were sent iMessages from the same Apple account (codenamed “ATTACKER1”) to deploy the Graphite tool, indicating that the account may have been used by a single Paragon customer to target them.
The development is the latest twist in a scandal that erupted in January, when Meta-owned WhatsApp divulged that the spyware had been deployed against dozens of users globally, including Pellegrino’s colleague Francesco Cancellato. In all, a total of seven individuals have been publicly identified as victims of Paragon targeting and infection to date.
Earlier this week, the Israeli spyware maker said it has terminated its contracts with Italy, citing the government’s refusal to let the company independently verify that Italian authorities did not break into the phone of the investigative journalist.
“The company offered both the Italian government and parliament a way to determine whether its system had been used against the journalist in violation of Italian law and the contractual terms,” it said in a statement to Haaretz.
However, the Italian government said the decision was mutual and that it rejected the offer due to national security concerns.
The Parliamentary Committee for the Security of the Republic (COPASIR), in a report published last week, confirmed that Italian foreign and domestic intelligence services used Graphite to target the phones of a limited number of people after necessary legal approval.
COPASIR added that the spyware was used to search for fugitives, counter illegal immigration, alleged terrorism, organized crime, fuel smuggling and counter-espionage, and internal security activities. However, the phone belonging to Cancellato was not among the victims, it said, leaving a key question as to who may have targeted the journalist unanswered.
The report, however, sheds light on how Paragon’s spyware infrastructure works in the background. It said an operator has to sign in with a username and password in order to use Graphite. Each deployment of the spyware generates detailed logs that are located on a server controlled by the customer and not accessible by Paragon.
“The lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat, and underlines the dangers of spyware proliferation and abuse,” the Citizen Lab said.
The European Union (E.U.) has previously raised concerns over the unchecked use of commercial spyware, calling for stronger export controls and legal safeguards. Recent cases like this one could intensify pressure for regulatory reforms at both national and E.U. levels.
Apple’s threat notification system is based on internal threat intelligence and may not detect all instances of targeting. The company notes that receiving such a warning does not confirm an active infection, but indicates that unusual activity consistent with a targeted attack was observed.
The Return of Predator
The latest revelations come as Recorded Future’s Insikt Group said it observed a “resurgence” of Predator-related activity, months after the U.S. government sanctioned several individuals tied to Israeli spyware vendor Intellexa/Cytrox.
This includes the identification of new victim-facing Tier 1 servers, a previously unknown customer in Mozambique, and connections between Predator infrastructure and FoxITech s.r.o., a Czech entity previously associated with the Intellexa Consortium.
Over the past two years, Predator operators have been flagged in over a dozen counties, such as Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago.
“This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent,” the company said.
“This likely reflects growing demand for spyware tools, especially in countries facing export restrictions, ongoing technical innovation in response to public reporting and security enhancements, and increasingly complex corporate structures designed to impede sanctions and attribution.”
