Apple has officially patched a critical zero-day vulnerability exploited by Paragon spyware to compromise the iPhones of European journalists. The flaw, which allowed for sophisticated remote attacks, was quietly mitigated in the iOS 18.3.1 update released on February 10, though its specific nature was only disclosed by the company this week.
The Hidden Security Flaw
The vulnerability, identified as a logic issue within the processing of media files sent via iCloud Links, allowed attackers to gain unauthorized access to targeted devices. According to a report published by The Citizen Lab, this exploit was the primary vector used to target Italian journalist Ciro Pellegrino and another high-profile European media figure.
While Apple issued a security update on February 10, its initial advisory failed to mention this specific flaw, focusing instead on an unrelated issue involving iPhone security mechanisms. It was not until June 11 that the company updated its advisory to acknowledge the logic issue, admitting awareness of “an extremely sophisticated attack against specific targeted individuals.”
Paragon Spyware and Targeted Attacks
The discovery follows a series of security warnings issued to iPhone users worldwide. The controversy surrounding Paragon intensified earlier this year when WhatsApp alerted approximately 90 users—including activists and journalists—that they had been targeted by the company’s “Graphite” spyware.
In late April, Apple sent mass notifications to users across 100 countries, warning them that they had been targeted by mercenary spyware. While the alerts did not explicitly name the developers behind the campaigns, The Citizen Lab’s forensic analysis has now confirmed that the victims were indeed compromised using Paragon’s tools.
Questions Remain Over Disclosure
Despite the confirmation of the exploit, Apple has remained silent regarding the four-month gap between the patch deployment and the public disclosure of the vulnerability. The company did not respond to requests for comment regarding the delay in transparency.
It remains unclear whether the “Graphite” spyware was the singular tool used against all individuals who received Apple’s April notification, or if other undisclosed vulnerabilities were leveraged in parallel campaigns. As forensic investigations continue, the incident underscores the persistent threat posed by commercial mercenary spyware against members of the press and civil society.