Apple Confirms Zero-Click iMessage Exploit Used to Deploy Israeli Surveillance Software Against European Journalists
Apple has confirmed that a critical security vulnerability in its Messages application was actively exploited by sophisticated threat actors to target civil society members with advanced spyware.
Apple has confirmed that a critical security vulnerability in its Messages application was actively exploited by sophisticated threat actors to target civil society members with advanced spyware. The company revealed that the flaw enabled zero-click attacks against specifically chosen individuals, requiring no user interaction to compromise their devices.
The Vulnerability Details
The security weakness, designated CVE-2025-43200, stemmed from a logic error in how the Messages app processed malicious multimedia content shared through iCloud Links. Apple remediated this issue on February 10, 2025, through security updates across multiple platforms including iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1.
The same security update package also addressed another actively exploited zero-day vulnerability (CVE-2025-24200), though Apple has not provided details about why disclosure of this additional flaw was delayed.
Targeted Attacks on Journalists
Research conducted by the Citizen Lab revealed that the vulnerability was weaponized to compromise devices belonging to Italian journalist Ciro Pellegrino and an unnamed prominent European journalist. The attacks successfully installed Paragon's Graphite mercenary spyware on their devices during January and early February 2025, while one victim was running iOS 18.2.1.
The compromised individuals received threat notifications from Apple on April 29, 2025, informing them that they had been targeted with advanced spyware. Apple's threat notification program, launched in November 2021, alerts users when the company suspects they have been targeted by state-sponsored attacks.
Both journalists received malicious iMessages from the same Apple account, suggesting coordination by a single Paragon customer. The infections were designed to remain completely invisible to the targeted individuals.
Paragon's Graphite Spyware Capabilities
Graphite represents a sophisticated surveillance tool developed by Israeli private sector offensive actor Paragon. The spyware provides comprehensive access to victim devices, including messages, emails, camera feeds, microphone recordings, and location data. Its zero-click deployment capability makes detection and prevention particularly challenging for targets.
Government clients typically deploy Graphite under national security justifications, though its use has raised significant concerns about abuse and overreach in surveillance operations.
Italian Government Spyware Scandal
This disclosure represents the latest development in an ongoing controversy that began in January when Meta's WhatsApp revealed that Paragon spyware had been deployed against dozens of users worldwide, including Francesco Cancellato, a colleague of Pellegrino. Seven individuals have now been publicly identified as confirmed victims of Paragon targeting.
Earlier this week, Paragon announced the termination of its contracts with the Italian government, citing Italy's refusal to allow independent verification of whether Italian authorities had illegally accessed the investigative journalist's device. The company had offered both the Italian government and parliament mechanisms to determine if its system had been misused in violation of Italian law and contractual agreements.
Italian officials characterized the decision as mutual, rejecting Paragon's verification offer due to national security considerations.
Parliamentary Investigation Findings
The Parliamentary Committee for the Security of the Republic (COPASIR) published a report confirming that Italian intelligence services had utilized Graphite to target a limited number of individuals following proper legal authorization. The spyware was reportedly employed for various law enforcement purposes including fugitive tracking, immigration enforcement, terrorism prevention, organized crime investigation, fuel smuggling interdiction, counter-espionage, and internal security operations.
Notably, COPASIR stated that Cancellato's device was not among those targeted by Italian authorities, leaving questions about the source of his compromise unanswered.
The report also provided insights into Paragon's operational infrastructure, revealing that Graphite operators must authenticate with usernames and passwords. Each spyware deployment generates comprehensive logs stored on customer-controlled servers that remain inaccessible to Paragon itself.
Regulatory and Legal Implications
The Citizen Lab emphasized that these incidents highlight the continued vulnerability of European journalists to invasive digital surveillance threats and underscore the dangers of commercial spyware proliferation and abuse. The lack of accountability mechanisms for spyware victims remains a significant concern.
The European Union has previously expressed concerns about unregulated commercial spyware usage, advocating for enhanced export controls and legal protections. These recent cases may intensify pressure for comprehensive regulatory reforms at both national and EU levels.
Apple's Threat Detection Limitations
Apple's threat notification system relies on internal threat intelligence capabilities and may not identify all targeting attempts. The company notes that receiving such notifications does not necessarily confirm active device compromise but indicates observation of unusual activity consistent with targeted attack patterns.
Predator Spyware Resurgence
Concurrent with the Graphite revelations, Recorded Future's Insikt Group has documented a resurgence of activity related to Predator spyware, despite U.S. sanctions against individuals connected to Israeli vendor Intellexa/Cytrox. This renewed activity includes identification of new victim-facing infrastructure, a previously unknown customer in Mozambique, and connections between Predator operations and Czech entity FoxITech s.r.o.
Over the past two years, Predator operations have been identified across more than a dozen countries including Angola, Armenia, Botswana, Democratic Republic of Congo, Egypt, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, Philippines, Saudi Arabia, and Trinidad and Tobago.
Research indicates that Predator maintains particularly strong presence in Africa, with over half of identified customers located on the continent. This geographic concentration likely reflects increasing demand for surveillance tools in countries facing export restrictions, ongoing technical innovation in response to public scrutiny and security improvements, and increasingly complex corporate structures designed to evade sanctions and attribution efforts.
Broader Implications
These developments illustrate the persistent challenges posed by commercial spyware proliferation, particularly its impact on press freedom and civil society. The combination of zero-click exploitation capabilities, sophisticated evasion techniques, and unclear accountability mechanisms continues to pose significant risks to targeted individuals and democratic institutions globally.
