[CVE-2025-43300] Apple ImageIO Zero-Click Exploited Against Journalists and Officials

·

·

2–3 minutes
Threat Actor: , | Vendors/Platforms:

Executive Summary

CVE-2025-43300 is a zero-day in Apple’s ImageIO framework that enables zero-click remote code execution across iOS, iPadOS, and macOS. Apple confirmed exploitation in “extremely sophisticated attacks” against targeted individuals. Forensic analysis confirms Italian journalists were compromised with Paragon’s Graphite spyware, while broader evidence indicates civil society, dissidents, and government officials are also at risk.
This marks the seventh zero-day patched by Apple in 2025 (as of August), underscoring a sustained escalation in targeting Apple platforms.
CVSS v3.1: 8.8 (High) | CVSS v2: 10.0 (Critical)

Vulnerability Overview

  • Component: Apple ImageIO
  • Type: Out-of-bounds write → memory corruption → RCE
  • Affected Systems:
    • iOS <18.6.2 (iPhone XS+)
    • iPadOS <18.6.2 / <17.7.10 (iPad 7+, Air 3+, Mini 5+)
    • macOS Sequoia <15.6.1, Sonoma <14.7.8, Ventura <13.7.8
  • Root Cause: Improper bounds checking in image parsing
  • Impact: Arbitrary code execution, sandbox escape, potential persistence

Zero-click vulnerabilities require no user interaction — which means no behavioral indicator to detect. Device hygiene, patch velocity, and threat intelligence are the only meaningful controls.

Noorstream delivers threat intelligence, vulnerability management, and offensive security assessments for high-risk environments.

→ Book a Strategic Security Briefing

Attack Vector

  • Malicious images delivered via:
    • iMessage and messaging apps
    • Email attachments
    • Embedded images on websites/social platforms
  • Zero-click: Exploitation occurs automatically during image parsing, requiring no user interaction.

Exploitation Status

  • Active exploitation confirmed by Apple and CISA (KEV deadline: Sept 11, 2025)
  • Confirmed forensic cases:
    • Ciro Pellegrino (Fanpage.it journalist)
    • Francesco Cancellato (Fanpage.it editor)
    • Both compromised with Graphite spyware (Citizen Lab, Amnesty reports)
  • High confidence: Paragon Graphite spyware linked to exploitation
  • Medium confidence: Nation-state coordination involved, with operational patterns resembling APT29/Cozy Bear tradecraft
  • Assessed likely: Persistence mechanisms enabling long-term device compromise

Mitigation Steps

  • Patch immediately: iOS 18.6.2, iPadOS 18.6.2/17.7.10, macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8
  • Enable automatic updates to shrink exposure windows
  • Deploy Lockdown Mode for high-risk individuals
  • Apply mobile EDR/behavioral monitoring
  • Enforce zero-trust controls in BYOD environments

High-Risk Indicators

Indicator Type: Device Behavior
Value: Unexplained crashes tied to ImageIO parsing
Confidence: High

Indicator Type: Network
Value: Outbound traffic to suspected C2 after image receipt
Confidence: Medium

Indicator Type: Target Profile
Value: Journalists, dissidents, government officials, civil society leaders
Confidence: High

Target Profiles

  • Confirmed:
    • Italian journalists (Fanpage.it – Pellegrino, Cancellato)
  • High Confidence:
    • European journalists covering corruption and national security
    • U.S. government officials (validated by CISA’s KEV directive)
  • Medium Confidence:
    • Dissidents in exile (Russian/Belarusian media, activists)
    • Human rights advocates and civil society leaders
  • Elevated Risk:
    • Corporate executives in defense, tech, and infrastructure sectors
    • Academic researchers in surveillance/cybersecurity

Intelligence Assessment

CVE-2025-43300 demonstrates a strategic surveillance escalation against Apple platforms.

  • High confidence: Graphite spyware deployed in European journalist targeting
  • Medium confidence: Nation-state operations are coordinating or acquiring exploits, with tradecraft patterns consistent with APT29/Cozy Bear
  • Assessed likely: Persistence mechanisms deployed for long-term access

This zero-click exploit reflects the continuing fusion of mercenary spyware vendors and state-backed intelligence operations, with journalists, dissidents, and officials as primary targets.

Tags: CVE-2025-43300, mobile security, threat intelligence, zero day, zero-click exploit

Latest Exploited Vulnerabilities

  • CVE-2026-3502
    TrueConf Client Download of Code Without Integrity Check Vulnerability
    Vendor: TrueConf
    Affected Product: Client
    Exploit Confirmed: 2026-04-02
  • CVE-2026-5281
    Google Dawn Use-After-Free Vulnerability
    Vendor: Google
    Affected Product: Dawn
    Exploit Confirmed: 2026-04-01
  • CVE-2026-3055
    Citrix NetScaler Out-of-Bounds Read Vulnerability
    Vendor: Citrix
    Affected Product: NetScaler
    Exploit Confirmed: 2026-03-30
  • CVE-2025-53521
    F5 BIG-IP Stack-Based Buffer Overflow Vulnerability
    Vendor: F5
    Affected Product: BIG-IP
    Exploit Confirmed: 2026-03-27
  • CVE-2026-33634
    Aquasecurity Trivy Embedded Malicious Code Vulnerability
    Vendor: Aquasecurity
    Affected Product: Trivy
    Exploit Confirmed: 2026-03-26

Built to Defend. Engineered for Real-World Cyber Threats.

Book a Strategic Cybersecurity Briefing

Menu

About Us

Insights

Services

Company

Privacy Policy

Terms of Service

Disclosure Policy

Contact

Booking

Opt-Out

Report


© 2026 Noorstream Security. All Rights Reserved.

Discover more from Noorstream Security

Subscribe now to keep reading and get access to the full archive.

Continue reading