Apple Patches Zero-Click Flaw in Messages App Targeting Journalists
Apple recently announced that it has resolved a significant security vulnerability in its Messages app, which was actively exploited to target individuals within civil society. This flaw, designated as CVE-2025-43200, was addressed in the software update released on February 10, 2025, as part of various operating system upgrades, including iOS 18.3.1 and macOS Sequoia 15.3.1.
Understanding the Vulnerability
The vulnerability behind CVE-2025-43200 was related to a logic issue occurring when handling maliciously crafted multimedia files shared through iCloud Links. Apple confirmed that this weakness made it possible for attackers to compromise devices without requiring any interaction from the users—a tactic known as a "zero-click" exploit. The company emphasized that improvements have been made to enhance the security checks involved.
Targeted Attacks on Journalists
Apple disclosed its awareness of this flaw being exploited in highly sophisticated attacks aimed at specific individuals. Research conducted by Citizen Lab corroborated this, revealing that the vulnerability was leveraged to target notable journalists, including Ciro Pellegrino. The attack reportedly involved deploying Paragon’s Graphite spyware, allowing the attackers to infiltrate these journalists’ devices discreetly.
Citizen Lab researchers highlighted that the espionage attack occurred without any visible signs of compromise for those affected. This suggests that targeted users would remain unaware of any security breach while sensitive information could be accessed in real-time by the malicious actors behind the attack.
Advanced Spyware and Its Implications
Graphite, the spyware used in these attacks, is attributed to Paragon, an Israeli private sector offensive actor. It possesses the capacity to collect an extensive array of data—from messages to location information—without requiring user engagement, thereby raising serious concerns about privacy and security.
The surveillance tool was reported to have been deployed after the affected journalists received iMessages from a single Apple account identified as "ATTACKER1." This connection suggests that a unified entity targeted these individuals rather than multiple attackers acting independently.
Apple’s Notifications to Targets
On April 29, 2025, Apple informed the impacted individuals of the sophisticated nature of the spyware attacks they had faced. The tech giant initiated a threat notification system back in November 2021, aiming to alert users believed to be under threat from state-sponsored attackers. While receiving such a notification indicates unusual activity on a device, it does not confirm an active infection.
The Wider Context of Cyber Surveillance
The case of Pellegrino isn’t isolated, as Meta-owned WhatsApp reported the use of Graphite against numerous users globally. To date, seven distinct individuals have been publicly identified as victims of this surveillance campaign, with calls for enhanced regulatory measures growing stronger as concerns over the misuse of spyware escalate.
Italian authorities are now in a complicated position regarding the use of Graphite. Recently, Paragon terminated its contracts with Italy, citing a lack of transparency in government practices. Although the Italian government acknowledged the use of Graphite for varied national security reasons, details surrounding the specific targeting of journalists remain vague, sparking further inquiries into ethical uses of surveillance technology.
Regulatory Reforms and Future Safeguards
The proliferation of commercial spyware has drawn scrutiny from the European Union, which is advocating for stricter regulations on software exports and a framework to protect individual privacy rights. Events like this underline the critical need for substantive legal protections as the capabilities of spyware become more sophisticated and prevalent, particularly against an increasing number of journalists and activists.
The Resurgence of Surveillance Tactics
Recent reports from Recorded Future’s Insikt Group point to a renewed spike in activity related to Predator, another surveillance tool that has been tied to instances of espionage around the globe. The findings raise alarms about the continuous demand for such invasive technologies and the evolving strategies employed by both private companies and state actors to execute these covert operations.
As economies and infrastructures around the world adapt to new security landscapes, it is imperative to remain vigilant about safeguarding personal and professional integrity amid these emerging digital threats.
