Apple has disclosed a critical zero-click vulnerability in its Messages app that was actively exploited in the wild to deploy spyware against high-profile individuals, including investigative journalists.
The flaw, tracked as CVE-2025-43200, was addressed in a security update released on February 10, 2025, affecting multiple platforms including iOS, iPadOS, macOS, watchOS, and visionOS.
The issue stemmed from a logic flaw in how iCloud-shared photos or videos were processed, and was fixed by implementing improved input validation. Apple noted that the exploit may have been used in highly sophisticated attacks against a limited set of targeted individuals.
The update also quietly included a fix for another zero-day, CVE-2025-24200, whose exploitation details were not disclosed at the time.
🎯 Surveillance of Journalists Using Paragon’s Graphite Spyware
Subsequent forensic analysis by The Citizen Lab confirmed that CVE-2025-43200 was exploited to infect:
- Ciro Pellegrino, an Italian journalist
- A well-known European journalist (unnamed)
The attacks involved zero-click iMessages sent from a single Apple ID (referred to as “ATTACKER1”), which triggered the installation of Graphite, a spyware tool developed by Paragon, an Israeli private sector offensive actor.
Graphite grants remote access to messages, email, microphone, camera, and location data without any user interaction. It has been used by state clients under national security justifications, though its deployment against journalists has raised significant ethical and legal concerns.
Victims were alerted by Apple via threat notifications on April 29, 2025, as part of the company’s ongoing effort to notify users it suspects are targeted by state-sponsored attackers.
🕵️ Italian Spyware Controversy Escalates
The disclosure adds to a growing controversy that began in January 2025, when Meta’s WhatsApp revealed that Paragon’s spyware had also been used against other journalists, including Francesco Cancellato. Seven known individuals have since been publicly linked to Paragon-related infections.
Paragon has since terminated its contracts with the Italian government, citing the state’s refusal to allow third-party verification regarding the targeting of journalists.
The Italian government described the termination as mutual, citing national security concerns for rejecting Paragon’s offer to audit usage.
According to a report by COPASIR (Italy’s parliamentary intelligence oversight committee), national intelligence services used Graphite within legal bounds to investigate fugitives, smuggling, and terrorism. However, Cancellato was not listed among the official surveillance targets—leaving open questions about unauthorized deployments.
COPASIR also confirmed that Graphite logs are stored on customer-controlled servers, not accessible by Paragon itself, which raises challenges for oversight and accountability.
“The lack of meaningful redress for spyware victims highlights the growing threat to press freedom and underscores the urgent need for stronger legal and regulatory safeguards,” noted Citizen Lab researchers.
🌍 Predator Spyware Resurfaces Amid Global Expansion
In parallel, Recorded Future’s Insikt Group has tracked a resurgence in activity tied to Predator, another commercial spyware platform developed by Intellexa/Cytrox, despite previous U.S. sanctions.
New findings include:
- Fresh victim-facing infrastructure (Tier 1 servers)
- A new customer in Mozambique
- Infrastructure overlap with FoxITech s.r.o., a Czech company tied to the Intellexa Consortium
Predator continues to be widely deployed across more than a dozen countries, including:
- Angola, Egypt, Saudi Arabia, Indonesia, Oman, Kazakhstan, Philippines, and Trinidad & Tobago
Analysts suggest that increased demand for surveillance tools—especially in regions under export restrictions—is fueling Predator’s global proliferation. Its use of complex corporate structures also complicates enforcement and attribution.
đź“Ś SecurityX Insight
Recent events reveal a troubling escalation in the targeting of journalists with commercial spyware, using zero-day exploits, zero-click vectors, and nation-state infrastructure.
Key takeaways:
- Graphite and Predator are being used in politically sensitive regions under the pretext of national security
- Commercial spyware vendors are distancing themselves from direct deployment, shifting accountability to state clients
- Zero-click vulnerabilities continue to be a favored attack vector, especially on mobile platforms
- The lack of global oversight on spyware export and deployment is enabling unchecked surveillance
SecurityX will continue to monitor developments related to state-sponsored spyware, vendor transparency, and platform-level mitigations.
