MediumCISA KEVExploited in the wildPublic exploit

Zero-click iCloud Link media processing flaw in Apple Messages

IdentifiersCVE-2025-43200CWE-840

CVE-2025-43200 is an Apple vulnerability affecting iOS, iPadOS, macOS, watchOS, and visionOS. Apple describes it as a logic issue that existed when processing a maliciously crafted photo or video shared via an iCloud Link, and states it was fixed with improved checks. Reporting and forensic context indicate the flaw was reachable through Messages/iMessage as a zero-click attack path, where specially crafted media delivered via an iCloud Link could be processed without user interaction. Citizen Lab and multiple reporting contexts associate exploitation of this vulnerability with deployment of Paragon Solutions' Graphite spyware against specific targeted individuals. Apple stated it is aware of reports that the issue may have been exploited in extremely sophisticated attacks in the wild.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enabled highly targeted zero-click compromise of Apple devices. Available reporting associates the flaw with deployment of Paragon's Graphite mercenary spyware against journalists and other civil-society targets. The practical impact therefore includes remote device compromise without user interaction, covert surveillance, and follow-on access to sensitive device data and capabilities, subject to the payload delivered by the attacker.

Mitigation

If you can’t patch tonight, do this now.

Primary mitigation is patching to a fixed OS version. For high-risk users pending update, reduce exposure to unsolicited iCloud Link content and enable Lockdown Mode where operationally feasible, as reporting around this case specifically characterizes the exploit path as zero-click and used in targeted spyware operations. Standard high-risk mobile hardening measures may reduce attack surface, but no complete mitigation short of installing the vendor fix is documented in the provided content.

Remediation

Patch, then assume compromise.

Apply Apple's fixed releases: iOS 15.8.4 and iPadOS 15.8.4; iOS 16.7.11 and iPadOS 16.7.11; iPadOS 17.7.5; iOS 18.3.1 and iPadOS 18.3.1; macOS Ventura 13.7.4; macOS Sonoma 14.7.4; macOS Sequoia 15.3.1; visionOS 2.3.1; and watchOS 11.3.1. Apple states the issue was addressed with improved checks.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleIpadosoperating_system

AppleIphone Osoperating_system

AppleMacosoperating_system

AppleVisionosoperating_system

AppleWatchosapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

37 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

37 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

An Apple Messages zero-click vulnerability exploited in the wild to target journalists/civil society with Paragon spyware; patched across Apple OSes.

cyber security newsNews

Dec 24, 2025

One Year Of Zero-Click Exploits: What 2025 Taught Us About Modern Malware

A logic flaw in iOS allowing zero-click remote code execution via malicious photos or videos shared through iCloud Links.

the hacker newsNews

Dec 13, 2025

Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild

An Apple zero-day vulnerability referenced as exploited in the wild in 2025 (no additional technical details provided in the content).

citizenlabNews

Dec 2, 2025

Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab

A zero-click iMessage vulnerability used to deploy Paragon Graphite spyware against iOS users; Apple says it was mitigated in iOS 18.3.1.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity25

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-43200

NVD

nvd.nist.gov/vuln/detail/CVE-2025-43200

MITRE CWE · CWE-840

cwe.mitre.org

Vendor Advisory

support.apple.com/en-us/122173

Vendor Advisory

support.apple.com/en-us/122174

Vendor Advisory

support.apple.com/en-us/122345

Vendor Advisory

support.apple.com/en-us/122346

Vendor Advisory

support.apple.com/en-us/122900

Vendor Advisory

support.apple.com/en-us/122901

Vendor Advisory

support.apple.com/en-us/122902

Vendor Advisory

support.apple.com/en-us/122903

Vendor Advisory

support.apple.com/en-us/122904

+2 more references

view more in app