Apple has revealed that the currently patched security flaws present in messaging apps are actively exploited in the wild to target civil society members in sophisticated cyber attacks.
Vulnerabilities tracked as CVE-2025-43200 include iOS 18.3.1, iPads 18.3.5, iPads 17.7.5, Macos Sequoia 15.3.1, Macos Sonoma 14.7.4, Macos Ventura 13.7.4, Watchos 11.3.1, and Visions 2.1.1.1.4, MacOS Socona 14.7.4,
“There was a logic issue when dealing with malicious photos or videos shared via iCloud links,” the company said in its advisory, adding that the vulnerability was addressed with improved checks.
The iPhone maker also acknowledged that the vulnerability could have been “exploited in a highly sophisticated attack, especially on targeted individuals.”
It is worth noting that iOS 18.3.1, iPados 18.3.1, and iPados 17.7.5 updates also resolved another actively utilized zero day tracked as CVE-2025-24200. Currently, it is currently unknown why Apple chose not to reveal the existence of this flaw.
Although Apple did not share details of the nature of the attack that weaponized CVE-2025-43200, it said Citizen Lab had unearthed forensic evidence that it targeted Italian journalist Ciro Pellegrino and prominent European journalists, and Italian journalist Ciro Pellegrino and prominent European journalists to infect Paragon’s Graphite Spyware.
The interdisciplinary research center described the attack as zero clicks. This means that vulnerabilities can be triggered on the target device without the need for user interaction.
“One of the journalist devices was compromised with Paragon’s graphite spyware from January to early February 2025 while running IOS 18.2.1,” said researchers Bill Marcak and John Scott Railton. “I believe this infection was not visible as a target.”
Both individuals were notified by Apple on April 29, 2025 that they were targeted with advanced spyware. Starting in November 2021, Apple began sending threat notifications to alert users suspected of being targeted by state-sponsored attackers.
Graphite is a surveillance tool developed by Israeli private sector attack actor (PSOA) Paragon. Access messages, emails, cameras, microphones, and location data without user actions, making detection and prevention particularly difficult. Spyware is usually deployed by government clients under the guise of a national security investigation.
Citizen Lab said that two journalists deployed graphite tools by sending Imessages from the same Apple account (codenamed “Attacker1”) indicating that the account could have been used by a single Paragon customer and used by the target.
The development is the latest twist in a scandal that broke out in January when Meta-owned Whatsapp happened, which had meta-owned Whatsapp had been rolled out to dozens of users around the world, including Pellegrino colleague Francesco Cancellato. Overall, a total of seven have been publicly identified as victims of paragon targeting and infection so far.
Earlier this week, the Israeli spyware manufacturer said it had ended its contract with Italy, and that the government refused to independently confirm that Italian authorities had not broken into the phones of investigative journalists.
“The company has provided both the Italian government and the parliament with a way to determine whether it was being used against journalists in violation of Italian law and terms of contract,” he said in a statement to Haaretz.
However, the Italian government said the decision was mutual and rejected the offer due to national security concerns.
In a report released last week, the Republic’s Parliamentary Committee on Security (Copasir) confirmed that Italian foreign and domestic intelligence agency will use graphite to target a limited number of mobile phones after necessary legal approval.
Copasir added that SPYware was used to search for fugitives, illegal immigration, suspected terrorism, organized crime, fuel smuggling and anti-spinaging, and internal security activities. However, although he said that no phones belonging to Cancerato were among the victims, he left an important question as to who targeted the journalists to unresponsives.
However, this report sheds light on how Paragon’s spyware infrastructure works in the background. He said that operators must sign in with their username and password to use graphite. Each spyware deployment is located on a customer-controlled server and generates detailed logs that Paragon cannot access.
“The lack of accountability available to these spyware targets underscores the extent to which European journalists continue to be exposed to this highly invasive digital threat, highlighting the dangers of spyware spread and abuse,” the Civic Research Institute said.
The European Union has previously raised concerns over the unidentified use of commercial spyware, calling for stronger export controls and legal protection measures. These recent cases could intensify regulatory reform pressures at both the national and EU levels.
Apple’s threat notification system is based on internal threat intelligence and may not be able to detect all instances of targeting. The company noted that such warnings do not confirm active infections, but indicates that abnormal activity has been observed consistent with targeted attacks.
The return of the predator
The latest revelation occurred in which a recorded Future Insikt group stated that a “revival” of predator-related activity was observed several months after the US government approved by several individuals linked to Israeli spyware vendor Intelexa/Cytrox.
This includes identifying a new victim Tier 1 server, a previously unknown customer in Mozambique, and its relationship with Foxitech Sro with Predator Infrastructure, a Czech entity previously associated with the Intelexa Consortium.
For the past two years, predator operators have flagged more than 12 counties, including Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, Trinidad and Trinidad.
“This is in line with the broader observation that predators are very active in Africa and that more than half of the identified clients are located on the continent,” the company said.
“This could reflect an increasing demand for spyware tools, continued innovation in response to public reporting and enhanced security, and an increasingly complex corporate structure designed to prevent sanctions and attribution, particularly in countries facing export restrictions.”
