Apple has recently addressed a significant security vulnerability that facilitated zero-click attacks, allowing the installation of Paragon Graphite spyware on the iPhones of two European journalists. This issue, identified as CVE-2025-43200, was patched in iOS 18.3.1, which was released in February. However, the details of this vulnerability were only disclosed in Apple’s advisory this week.
The specific vulnerability was related to how the Messages app processes maliciously crafted photos or videos shared via an iCloud link. Apple acknowledged the severity of the situation, stating that it was aware of reports suggesting this flaw may have been exploited in advanced attacks on targeted individuals.
Details on Paragon Spyware Attacks
A report from Citizen Lab indicated that on April 29, 2025, Apple notified a limited number of iOS users about being targeted by sophisticated spyware. The exact number of users affected remains unclear, but it includes two journalists: one who prefers to stay anonymous and Ciro Pellegrino, an Italian journalist. Both provided their devices to Citizen Lab for in-depth technical analysis, which confirmed a connection between the intrusions targeting these individuals.
The Citizen Lab analysis revealed that the anonymous journalist’s device was compromised between January and early February 2025 while running iOS 18.2.1. The logs from the device indicated a series of requests to a server that matched an established fingerprint associated with Paragon’s Graphite spyware. This correlation was made with a high degree of certainty.
A specific iMessage account was identified during the same period when the device communicated with the suspected Paragon server. Citizen Lab concluded that this account was instrumental in deploying Paragon’s Graphite spyware through a sophisticated zero-click attack conducted via iMessage. They stressed that this infection was likely undetectable by the targeted user.
The same iMessage account also appeared in the device logs of Pellegrino’s iPhone, further linking it to a Graphite zero-click attack attempt. Typically, customers of mercenary spyware companies are provided with dedicated infrastructure, suggesting that the identified account was used solely by one Graphite operator targeting both journalists.
Connections to Other Paragon Spyware Incidents
Pellegrino represents the second journalist from the Italian news outlet Fanpage.it to reportedly suffer from Paragon spyware targeting. Earlier, in January 2025, another editor, Francesco Cancellato, was informed via WhatsApp of similar spyware targeting. This pattern raises concerns about the potential targeting of the entire news organization itself.
To date, three European journalists have been confirmed as targets of Paragon’s spyware, yet there remains a significant lack of clarity regarding the identities of those behind this surveillance. The emergence of a second case linked specifically to Fanpage.it amplifies the urgency surrounding the questions of accountability and the legal frameworks governing such intrusive actions.
Citizen Lab emphasized that this lack of accountability for the spyware’s targets reflects a broader issue of invasive digital threats faced by journalists in Europe. The proliferation and misuse of spyware continue to pose significant risks, underscoring the need for increased scrutiny and protective measures for those in the media.
The implications of these findings not only spotlight the potential dangers faced by journalists but also raise profound ethical and legal questions regarding the use of spyware. As technology advances, the necessity for more robust protective measures becomes increasingly urgent in safeguarding the integrity and security of individuals within the journalism community.
