CISA has added a critical iOS zero-click vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning of active exploitation. This flaw, tracked as CVE-2025-43200, affects multiple Apple products including iOS, macOS, watchOS, and also the new visionOS. It allows attackers to compromise devices without any user interaction through maliciously crafted photos or videos shared via iCloud Links. This represents a significant security concern as it enables zero-click attacks that bypass traditional user awareness and security measures effectively. The technical nature of this exploit is particularly dangerous, as victims have no indication of compromise during the entire attack process.
CISA officially added this vulnerability to the KEV catalog on June 16, 2025, establishing a remediation deadline of July 7th. Citizen Lab researchers have confirmed that the Graphite spyware, developed by Paragon Solutions, exploited this specific zero-click vulnerability. The spyware was used to target at least three different European journalists through iMessage delivery mechanisms as the primary attack vector. Confirmed targets include Italian journalists Ciro Pellegrino and Francesco Cancellato, who both received Apple security notifications on April 29, 2025. A subsequent forensic examination then confirmed the presence of Graphite spyware artifacts on their devices, indicating a successful device compromise.
Technical analysis of all the compromised journalist devices revealed connections to infrastructure that was associated with a specific IP address.
This server maintained characteristics that were matching Citizen Lab’s “Fingerprint P1” identifier until at least April 12, 2025. This provided the security researchers with crucial attribution evidence linking the attacks directly to Paragon’s known spyware operations. The attack methodology clearly demonstrates the sophisticated capabilities of modern mercenary spyware operations that can bypass Apple’s robust security architecture.
The confirmed targets of this spyware campaign received official security notifications from Apple, alerting them to potential advanced spyware compromises.
Apple has now addressed the CVE-2025-43200 vulnerability in its recent iOS 18.3.1 software update, mitigating the attack vector. However, many devices running earlier iOS versions remained vulnerable throughout early 2025, emphasizing the importance of maintaining current software. This incident clearly highlights the ongoing “spyware crisis” affecting many journalists globally, with mercenary surveillance tools increasingly targeting them. Security experts recommend that individuals who receive spyware warnings from Apple, Meta, or Google should treat these alerts very seriously. Organizations should immediately implement CISA’s recommended mitigations, including applying all vendor security updates to protect their important systems.
