CISA Alerts on Active Exploitation of iOS 0-Click Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-click vulnerability in Apple’s iOS to its Known Exploited Vulnerabilities (KEV) catalog, following evidence that the flaw has been actively exploited by sophisticated spyware campaigns targeting journalists across Europe.

CISA has designated CVE-2025-43200 as an actively exploited vulnerability affecting Apple’s iOS, iPadOS, macOS, watchOS, and visionOS platforms.

The unspecified vulnerability allows attackers to compromise devices when processing maliciously crafted photos or videos shared via iCloud Link, requiring no user interaction to execute successfully.

The agency’s KEV catalog serves as the authoritative source for vulnerabilities exploited in the wild, providing organizations with critical intelligence for vulnerability management prioritization.

CISA recommends that organizations apply vendor-provided mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue product use if mitigations remain unavailable.

Apple confirmed that the vulnerability was patched in iOS 18.3.1, but devices running earlier versions remained vulnerable through early 2025.

The zero-click nature of this exploit makes it particularly dangerous, as victims have no indication of compromise and cannot prevent infection through typical security awareness practices.

iOS 0-Click Vulnerability

Forensic analysis has revealed that the advanced Graphite mercenary spyware, developed by Paragon Solutions, exploited CVE-2025-43200 to target at least three European journalists through sophisticated zero-click attacks.

The spyware infiltrated devices via iMessage using an account designated by researchers as “ATTACKER1.”

Among the confirmed victims are Italian journalist Ciro Pellegrino, head of the Naples newsroom at Fanpage.it, and a prominent European journalist who requested anonymity.

Both received Apple’s security notifications on April 29, 2025, alerting them to potential advanced spyware compromises.

Francesco Cancellato, another Fanpage.it journalist, was similarly targeted and received warnings from WhatsApp about Paragon spyware.

Technical analysis of compromised devices revealed connections to server IP address 46.183.184.91, linked to Paragon’s Graphite spyware infrastructure.

The server, hosted on VPS provider EDIS Global, continued matching Citizen Lab’s “Fingerprint P1” identifier until at least April 12, 2025.

The targeting of multiple journalists from the same news organization suggests a deliberate campaign to compromise Fanpage.it’s operations.

Citizen Lab researchers noted that “the identification of a second journalist at Fanpage.it targeted with Paragon suggests an effort to target this news organization.”

Spyware Use Amid Investigation

The Italian government’s parliamentary intelligence oversight committee (COPASIR) published a report on June 5, 2025, acknowledging the use of Paragon’s Graphite spyware against certain individuals while denying knowledge of who specifically targeted Cancellato.

According to Report, the vulnerability was patched in iOS 18.3.1, but devices running earlier versions remained vulnerable through early 2025

This admission has raised significant questions about oversight and accountability in mercenary spyware deployment.

Paragon Solutions offered to assist in investigating the Cancellato case, but Italian authorities rejected this proposal, citing national security concerns.

The Department of Security Intelligence (DIS) stated that providing Paragon such access would damage Italy’s reputation among international security services.

This campaign exemplifies the growing “spyware crisis” affecting journalists worldwide, highlighting the extent to which media professionals in Europe continue facing highly invasive digital threats.

Security researchers recommend that individuals receiving spyware warnings from Apple, Meta, WhatsApp, or Google take these alerts seriously and seek expert assistance from organizations like Access Now’s Digital Security Helpline or Amnesty International’s Security Lab.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.