Apple has confirmed that a critical zero-click vulnerability in its Messages app was actively exploited by sophisticated attackers to infect European journalists with Paragon’s Graphite mercenary spyware. The security flaw, tracked as CVE-2025-43200, allowed attackers to compromise target devices without any user interaction by sending maliciously crafted photos or videos through iCloud links, marking the first forensic confirmation of Paragon’s iOS surveillance capabilities being deployed in the wild.
Security researchers at Citizen Lab discovered that the vulnerability was used to target Italian journalist Ciro Pellegrino and another prominent European journalist in January and February 2025. The attacks involved sending iMessages from the same Apple account to deploy the Graphite spyware, which can access messages, emails, cameras, microphones, and location data without detection. Both journalists were notified by Apple on April 29, 2025, through the company’s threat notification system that alerts users suspected of being targeted by state-sponsored attackers.
The vulnerability was patched on February 10, 2025, across multiple Apple platforms including iOS, iPadOS, macOS, watchOS, and visionOS, though Apple chose not to publicly disclose the active exploitation until months later. The timing coincides with growing scrutiny over commercial spyware use, particularly after WhatsApp revealed in January that Paragon’s tools had been deployed against dozens of users globally. These revelations have intensified the ongoing scandal surrounding the misuse of surveillance technology against journalists and civil society members.