Full Report
Apple has disclosed that a now-patched security flaw present in its Messages app was actively exploited in the wild to target civil society members in sophisticated cyber attacks. The vulnerability, tracked as CVE-2025-43200, was addressed on February 10, 2025, as part of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1,
Analysis Summary
# Vulnerability: Logic Flaw in Apple Messages Processing of Malicious Media Leading to Zero-Click Exploit
## CVE Details
- CVE ID: CVE-2025-43200
- CVSS Score: Not explicitly provided (Implied High due to zero-click exploitation in the wild)
- CWE: Logic issue (Specific CWE not provided)
## Affected Systems
- Products: iOS, iPadOS, macOS, watchOS, visionOS (Apple Messages app component)
- Versions: Prior to the patching releases (e.g., iOS 18.2.1 mentioned as vulnerable)
- Configurations: Processing a maliciously crafted photo or video shared via an iCloud Link.
## Vulnerability Description
A logic flaw existed within Apple's Messages application when processing a maliciously crafted photo or video shared via an iCloud Link. This flaw allowed an attacker to achieve remote code execution or compromise a device without requiring any user interaction (zero-click). The vulnerability was leveraged in sophisticated attacks to deploy Paragon's Graphite mercenary spyware.
## Exploitation
- Status: **Exploited in the wild**
- Complexity: **Low** (Described as a zero-click attack)
- Attack Vector: **Network** (via iCloud Link/iMessage)
## Impact
- Confidentiality: High (Allows deployment of spyware capable of accessing messages, emails, camera, microphone, and location data)
- Integrity: High (Allows unauthorized code execution and data modification via spyware)
- Availability: High (Potential for device instability or takeover)
## Remediation
### Patches
Patches were released on February 10, 2025, addressing CVE-2025-43200:
* iOS 18.3.1
* iPadOS 18.3.1
* iPadOS 17.7.5
* macOS Sequoia 15.3.1
* macOS Sonoma 14.7.4
* macOS Ventura 13.7.4
* watchOS 11.3.1
* visionOS 2.3.1
### Workarounds
No specific workarounds were detailed, but given the nature of the flaw involving iCloud Links in Messages, temporary mitigation might involve disabling message previews or being extremely cautious with unknown iCloud Link attachments until patching is complete.
## Detection
- Indicators of Compromise: Devices potentially infected with Paragon's Graphite spyware (as observed on iOS 18.2.1).
- Detection Methods and Tools: Apple's internal threat notification system alerted specifically targeted individuals. Forensic analysis by third parties (like Citizen Lab) identified the compromise.
## References
- Vendor Advisory (General reference to bundled fixes): support.apple.com/en-us/122174, support.apple.com/en-us/122173, support.apple.com/en-us/122900, support.apple.com/en-us/122901, support.apple.com/en-us/122902, support.apple.com/en-us/122903, support.apple.com/en-us/122904
- Research/Reporting: citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/