Pierluigi Paganini June 13, 2025

Apple confirmed that a security flaw in its Messages app was actively exploited in the wild to target journalists with Paragon’s Graphite spyware.

Apple confirmed that a now-patched vulnerability, tracked as CVE-2025-43200, in its Messages app was actively exploited in the wild to target journalists with Paragon’s Graphite spyware.

The IT giant addressed the flaw CVE-2025-43200 on February 10, 2025, with the release of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. The same versions also addressed the WhatsApp vulnerability CVE-2025-24200 that was exploited in “extremely sophisticated” targeted attacks.

“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link.” reads the advisory published by the company. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

The company addressed this vulnerability by implementing improved checks.

This week, Citizen Lab confirmed that Paragon’s Graphite spyware was used to hack fully updated iPhones, targeting at least two journalists in Europe. The group found forensic evidence showing the phones had communicated with the same spyware server. Apple quietly alerted the victims earlier this year, marking the first confirmed case of Paragon’s tools being used in real-world attacks.

On April 29, 2025, Apple alerted select iOS users of spyware targeting. Forensic analysis confirmed that two journalists, including Ciro Pellegrino, were infected with Paragon’s Graphite spyware. Both cases were linked to the same attacker. Apple has since patched the zero-click exploit used in the attack, now tracked the flaw as CVE-2025-43200, in iOS version 18.3.1.

Early this week, Paragon accused the Italian government of refusing its offer to help investigate spyware use against a journalist. The company said this led to its decision to end contracts in Italy. Paragon claimed it proposed a way to verify if its tools were misused, but authorities declined. This marks the first time a spyware firm publicly cut ties with a client over alleged abuse. Paragon confirmed the statement’s accuracy but declined further comment.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Graphite spyware)