iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200)

A zero-click attack leveraging a freshly disclosed Messages vulnerability (CVE-2025-43200) has infected the iPhones of two European journalists with Paragon’s Graphite mercenary spyware, Citizen Lab researchers have revealed on Thursday.

The attacks happened in January and early February 2025. “We believe that this infection would not have been visible to the target,” the researchers noted.

About CVE-2025-43200

CVE-2025-43200 is a logic issue triggered when the Apple smartphone processed a maliciously crafted photo or video shared via an iCloud Link. Apparently, the target did not have to open or view the booby-trapped media file delivered via an iMessage for the exploit to work.

Apple fixed the vulnerability in iOS 18.3.1, released on February 10, though it kept the vulnerability under wraps until Wednesday, June 11.

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company says in the updated advisory.

No explanation has been provided for the company’s earlier reticence relating to CVE-2025-43200, which is surprising as, at the same time, it fixed another vulnerability flagged by Citizen Lab researcher Bill Marczak: CVE-2025-24200 was also used in an extremely sophisticated attack against specific targeted individuals and allowed attackers to disable USB Restricted Mode on a locked device. That flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device.

What should you do?

Users who have upgraded to iOS 18.3.1 (and later iOS versions) are safe from this attack.

iPhone users concerned about being targeted by governments wielding mercenary spyware should consider enabling Lockdown Mode on iOS to minimize their attack surface.

There have been reports about Lockdown Mode blocking iOS spyware infections, though it’s unclear whether it can stymie this particular attack. High-risk users should also get in the habit of rebooting their device daily: spyware often does not have persistence capabilities and will be removed.

Users who suspect that their devices might have been compromised can turn to organizations such as Citizen Lab, Amnesty International, or Access Now for help. There are also various tools they can use to check whether they’ve been saddled with mercenary spyware.

An unidentified Paragon operator is behind the attacks

Citizen Lab found “forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.”

The two journalists received an Apple notification in late April 2025 warning that they had been targeted with “unspecified advanced spyware”, which spurred them to seek technical assistance from Citizen Lab, which has gained an international reputation for uncovering abuses involving mercenary spyware.

They say that the malware on both the infected devices contacted the same server, which Citizen Lab linked to a currently unidentified Paragon operator.

Source: Citizen Lab

Earlier this year, three other Italian individuals – human rights activists Luca Casarini and Dr. Giuseppe Caccia, and journalist Francesco Cancellato – have received a notification from WhatsApp notifying them that they’ve been targeted with Paragon’s spyware. In the first two cases, the researchers found evicence of a Graphite infection.

“While the recent Parliamentary Committee for the Security of the Republic (COPASIR) report confirms that Italy’s intelligence services used highly-invasive Graphite spyware to target activists, it sought to justify the use on national security grounds. It also denied the targeting of journalist Francesco Cancellato. This new finding that another Italian journalist has been targeted with Graphite spyware, raises more questions,” commented Elina Castillo Jiménez, Advocacy and Policy Advisor on targeted surveillance at Amnesty International.

In related news, Recorded Future analysts have documented the resurgence of activity of Predator mobile spyware, “despite public exposure, international sanctions, and policy interventions.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!