Apple has confirmed a sophisticated zero-click vulnerability in its Messages app was exploited to deploy mercenary spyware against journalists, according to a security advisory updated on June 11, 2025. The flaw, tracked as CVE-2025-43200, was patched in February, but its use in a targeted espionage campaign was only brought to light by a new investigation from the University of Toronto’s Citizen Lab.
A forensic analysis by Citizen Lab provides the first public proof that spyware from Israeli firm Paragon Solutions was used to compromise iPhones. While Apple’s advisory confirms the flaw and its exploitation, the Citizen Lab report identifies the victims and the commercial surveillance tool, known as Graphite. The incident exposes the relentless efforts by private surveillance vendors to find and weaponize software flaws, posing a direct threat to the press, activists, and civil society.
This case underscores the high-stakes, cat-and-mouse game between the world’s largest technology companies and a shadowy, state-sponsored spyware industry. For users, it is a stark reminder that even on a platform known for its security, highly motivated attackers can find a way in, often without the target ever having to click a single link.
Anatomy of a Zero-Click Exploit
The vulnerability resided in a logic issue within Apple’s software that could be triggered by a maliciously crafted file sent through iMessage. According to an Apple’s security advisory, the exploit specifically involved how the system processed a photo or video shared via an iCloud Link. This method allowed an attacker to gain access to a device without any user interaction, making it exceptionally dangerous.
On February 10, 2025, Apple addressed the critical flaw by releasing a series of software updates with improved security checks. The patches were included in iOS 18.3.1, iPadOS 18.3.1, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1.
This move is consistent with its long-standing policy on vulnerability disclosures: “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.” The public CVE entry was only added months later, coinciding with the publication of the Citizen Lab report.
Connecting the Dots: From Threat Alert to Forensic Proof
The path to uncovering the espionage campaign began on April 29, when Apple issued threat notifications to a select group of users, warning they may have been targeted by state-sponsored attackers. Following these alerts, the detailed forensic analysis by The Citizen Lab revealed the full picture.
The lab’s researchers confirmed with high confidence that two of the notified individuals—Italian journalist Ciro Pellegrino and another prominent European journalist who remains anonymous—were targeted with Paragon’s Graphite spyware.
Investigators found that both journalists were targeted by the same operator using a single iMessage account, which they dubbed “ATTACKER1,” to deliver the zero-click exploit. This shared attacker account, combined with network traffic from one of the compromised phones to a known Paragon spyware server, provided the crucial link.
The case is particularly significant as it marks the first confirmed instance of Paragon’s spyware successfully compromising an Apple device. Pellegrino, whose colleague at the news outlet Fanpage.it was previously targeted, told The Record he believes the outlet was singled out. “I don’t like conspiracies, but there are two Italian journalists from the same newspaper in the same condition. It can’t be a coincidence.”
A ‘Problematic’ Industry Under Fire
This incident thrusts Paragon Solutions, a surveillance firm backed by former Israeli Prime Minister Ehud Barak, into a scandal reminiscent of those that have plagued its competitor, NSO Group.
The company is in the process of being acquired by a U.S.-based private investment firm. The case has drawn sharp criticism from researchers and regulators alike. John Scott-Railton of The Citizen Lab stated that the incident demonstrates a systemic issue within the commercial surveillance market. “Paragon is now mired in exactly the kind of abuse scandal that NSO Group is notorious for. This shows the industry and its way of doing business is the problem. It’s not just a few bad apples.”
The affair has also sparked controversy in Italy, where a parliamentary committee report acknowledged the government’s use of Paragon spyware in other contexts. The targeting of journalists has led to a public dispute between Paragon and Italian officials, as reported by Haaretz, over who bears responsibility for the alleged misuse.
The European Commission, responding to the news, issued a stern warning, with a spokesperson stating that any attempts to illegally access the data of citizens, including journalists, is “unacceptable, if confirmed.” The corporate world has also pushed back, with WhatsApp confirming in a statement to the Associated Press that it had previously sent a cease-and-desist letter to Paragon over other targeting attempts.
Ultimately, the successful weaponization of CVE-2025-43200 serves as a powerful illustration of the spyware industry’s core business model. As Citizen Lab researcher Scott-Railton noted, “If you sell mercenary spyware to governments, they are going to use it and potentially abuse it in ways you cannot control. It’s becoming ever clearer that this is a truism about the industry.”
While Apple has closed this particular door, the incident demonstrates that for every vulnerability patched, another is being sought by a lucrative and opaque industry that continues to operate with little oversight, leaving the digital safety of journalists, dissidents, and citizens hanging in the balance.
