Apple Quietly Patches iOS Zero-Day (CVE-2025-43200) Exploited by Israeli Spyware Targeting Journalists

Apple has quietly updated the security release notes for iOS 18.3.1, revealing that it has patched a critical vulnerability—CVE-2025-43200—which had been actively exploited by commercial spyware prior to the fix, thereby classifying it as a zero-day vulnerability.

The exploit in question was leveraged by the Israeli-developed commercial surveillance tool Paragon. Available intelligence suggests that a European nation-state may have deployed Paragon to target two journalists, who received warnings from Apple at the end of April, alerting them to the presence of spyware activity on their devices.

iOS 18.3.1 was officially released in February 2025, yet Apple only now acknowledges the vulnerability—presumably due to the involvement of Citizen Lab, the organization that first identified the intrusion and conducted the forensic investigation before reporting it to Apple.

Citizen Lab had been investigating the attack and only recently disclosed its findings. It is likely that the organization requested Apple to delay public disclosure until the full scope of the investigation could be shared, ensuring a more comprehensive and secure response.

CVE-2025-43200 exploited a logical flaw in the iCloud Link sharing feature, enabling highly targeted and sophisticated attacks. Apple notes that there were reports indicating active exploitation of the flaw against specific individuals.

The issue was mitigated in iOS 18.3.1 through improved validation mechanisms, and devices running this version or later are no longer vulnerable. However, Apple has yet to release further technical details surrounding the nature of the attacks.