A critical zero-click vulnerability, tracked as CVE-2025-43200, has been added by CISA to its Known Exploited Vulnerabilities (KEV) catalog after it was actively exploited in targeted spyware campaigns. This flaw affects a wide range of Apple products, including iOS, iPadOS, macOS, watchOS, and visionOS, and enables attackers to execute arbitrary code without any user interaction. The attack is triggered when devices process malicious media files, such as photos or videos, shared via iCloud Links. Apple addressed the issue in iOS 18.3.1, but earlier versions remain vulnerable, leaving unpatched devices open to silent exploitation.

The vulnerability was leveraged by Graphite spyware, developed by the mercenary surveillance firm Paragon Solutions. Researchers confirmed its use against at least three European journalists. These attacks were carried out via Apple’s iMessage platform, allowing for seamless and covert device compromise. Victims received security alerts from Apple on April 29, 2025, which were later validated through forensic analysis, confirming Graphite spyware artifacts on their devices.

Technical investigations revealed that the compromised devices communicated with infrastructure linked to IP address 46.183.184.91, hosted by EDIS Global. This server matched, providing attribution evidence connecting the exploit to Paragon Solutions. The zero-click nature of the attack, which requires no user interaction and offers no visible signs of compromise, highlights the advanced capabilities of mercenary spyware and the limitations of traditional user-based defenses.

In response, CISA has mandated that federal agencies patch affected systems by July 7, 2025, and urges all organizations to act immediately. Recommended mitigations include applying Apple’s latest security updates, disabling iCloud Links and iMessage where feasible, and following guidance from Binding Operational Directive 22-01 for cloud service security. The incident also reinforces the growing global spyware threat, especially toward journalists and civil society members, and underscores the importance of treating security warnings from vendors like Apple or Meta with urgency.