Apple Fixes Zero-Click Vulnerability in Messages App Used for Targeted Spyware Attacks on Journalists

June 13, 2025
Spyware / Vulnerability

Apple has revealed that a recently patched security flaw in its Messages app was actively exploited to carry out sophisticated cyber attacks on civil society members. Identified as CVE-2025-43200, the vulnerability was remedied on February 10, 2025, through updates to iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. According to the company, “A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,” which was resolved with improved security checks. Apple also acknowledged awareness that this vulnerability may have been exploited in “extremely sophisticated” attacks targeting specific individuals. Notably, the updates for iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 also fixed another actively exploited zero-day vulnerability, CVE-2025-24200.

Apple Addresses Exploited Zero-Click Flaw in Messages, Targeting Journalists with Spyware

On June 13, 2025, Apple confirmed that a previously undisclosed security vulnerability in its Messages application had been actively exploited in targeted cyberattacks, particularly against members of civil society, including journalists. The flaw, identified as CVE-2025-43200, allowed for the execution of malicious code through crafted photos or videos shared via iCloud Links. Apple issued a patch for this vulnerability in the updates for iOS 18.3.1, iPadOS 18.3.1, macOS Sequoia 15.3.1, and several others on February 10, 2025. The company emphasized that improved checks were implemented to rectify the issue.

According to the advisory from Apple, the vulnerability has the potential to facilitate sophisticated attacks, specifically engineered to spy on individuals within targeted sectors. In the context of these breaches, the affected parties have been primarily members of the journalism community, indicating a deliberate choice by attackers to monitor those engaged in civil advocacy or critical reporting. This underscores the increasing risks faced by journalists in an era where digital surveillance methods are becoming more advanced and widespread.

The exploitation of this vulnerability not only highlights the inherent risks associated with mobile communication platforms but also raises concerns about privacy and the safety of sensitive information shared through such applications. It is crucial for businesses and individuals alike to remain vigilant about the security of the tools they use for communication, as threats can evolve rapidly and may target users for various reasons, including political or social motivations.

In addition to resolving CVE-2025-43200, Apple’s recent security updates also addressed another active zero-day vulnerability, tracked as CVE-2025-24200, further indicating the pressures software developers face in maintaining robust security postures amidst increasing attack sophistication. The coordination of such complex attacks likely involved multiple tactics from the MITRE ATT&CK framework, such as initial access through social engineering and persistence tactics that keep a foothold in vulnerable systems for extended periods.

Cyber threats exploiting flaws like the one found in Apple’s Messages application should serve as a cautionary tale for business owners. The ongoing evolution of spyware, exemplified by the Paragon spyware used in these attacks, is a clear testament to the necessity for continuous vigilance and proactive cybersecurity measures. Implementing regular software updates and educating employees about potential risks can mitigate against these evolving threats.

As the landscape of cybersecurity continues to shift, understanding the tactics employed by adversaries becomes paramount. This incident serves as a reminder for organizations to not only prioritize technical defenses but also foster a culture of awareness and responsiveness towards existing vulnerabilities. The implications of these attacks extend beyond individual targets, potentially affecting broader networks and communities reliant on secure communication channels.

The persistence and ingenuity of attackers should prompt business leaders to rethink their approach toward cybersecurity, reinforcing the importance of adaptive strategies that can anticipate and effectively mitigate emerging threats in the digital age.

Source link

Related Posts

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities for Double Extortion Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday that ransomware criminals are taking advantage of unpatched SimpleHelp Remote Monitoring and Management (RMM) systems to compromise clients of an unnamed utility billing software provider. “This incident highlights a growing trend of ransomware groups exploiting unpatched versions of SimpleHelp RMM since January 2025,” the agency stated in an advisory. Earlier this year, SimpleHelp identified several vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution. These vulnerabilities have been actively exploited, including by ransomware groups like DragonForce, to breach specific targets. In a recent report, Sophos revealed that a Managed Service Provider’s SimpleHelp system was compromised by threat actors using these flaws.

Critical Vulnerability in TP-Link Routers (CVE-2023-33538) Under Active Exploitation, CISA Issues Urgent Warning

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a critical security flaw affecting TP-Link wireless routers in its Known Exploited Vulnerabilities (KEV) catalog, highlighting evidence of ongoing exploitation. The vulnerability, identified as CVE-2023-33538 (CVSS score: 8.8), involves a command injection issue that could allow arbitrary system command execution when handling the ssid1 parameter in a specially crafted HTTP GET request. Affected models include the TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2, which expose this flaw through the /userRpm/WlanNetworkRpm component. CISA has warned that some impacted devices may be at end-of-life (EoL) or end-of-service (EoS), advising users to stop using them if no mitigations are available. Currently, there is limited public information on the nature of the active exploitation, including attack scale and targeted entities.

New Flodrix Botnet Variant Takes Advantage of Langflow AI Server RCE Vulnerability for DDoS Attacks

Cybersecurity researchers have identified a new campaign that actively exploits a recently revealed critical security flaw in Langflow to deploy the Flodrix botnet malware. According to Trend Micro researchers Aliakbar Zahravi, Ahmed Mohamed Ibrahim, Sunil Bharti, and Shubham Singh in their technical report, attackers are leveraging this vulnerability to execute downloader scripts on compromised Langflow servers, which subsequently retrieve and install the Flodrix malware. This activity involves the exploitation of CVE-2025-3248 (CVSS score: 9.8), a missing authentication vulnerability affecting Langflow, a Python-based visual framework for creating AI applications. Successful exploitation allows unauthenticated attackers to execute arbitrary code through specially crafted HTTP requests. Langflow addressed this flaw with version 1.3.0, released in March 2025. Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted…

Critical RCE Threat from Hard-Coded ‘b’ Password in Sitecore XP Exposes Enterprises

June 17, 2025
Vulnerability / Enterprise Software

Cybersecurity experts have identified three significant vulnerabilities in the widely-used Sitecore Experience Platform (XP) that could be exploited to achieve pre-authenticated remote code execution (RCE). Sitecore XP is an enterprise software solution that offers tools for content management, digital marketing, and analytics.

The vulnerabilities are as follows:

  • CVE-2025-34509 (CVSS score: 8.2) – Use of hard-coded credentials
  • CVE-2025-34510 (CVSS score: 8.8) – Post-authenticated RCE via path traversal
  • CVE-2025-34511 (CVSS score: 8.8) – Post-authenticated RCE via Sitecore PowerShell Extension

Researcher Piotr Bazydlo from watchTowr Labs pointed out that the default user account “sitecore\ServicesAPI” has a hard-coded single-character password set to “b.” Notably, Sitecore’s documentation advises against altering default credentials. Although the user account lacks roles and permissions, the vulnerabilities still pose a serious risk.