iPhone iOS Flaw Exploited by Paragon Spyware Fixed in iOS 18.3.1

Paragon Spyware Exploits iPhone iOS Flaw

In early 2025, two high-profile European journalists discovered their iPhones had been compromised by Paragon’s Graphite spyware. The attack exploited a previously undisclosed logic issue in Apple’s iCloud Link media processor. Although Apple silently patched the vulnerability in iOS 18.3.1 on February 10, the advisory was only updated this week to acknowledge the flaw.

The Hidden iOS Vulnerability

The flaw resided in the way iOS processed photos and videos shared via an iCloud Link. A specially crafted media file could trigger a logic error that bypassed core security checks. Apple confirms this vulnerability may have been leveraged in “extremely sophisticated” targeted attacks.

Targeted Attacks on Journalists

Citizen Lab’s report, previewed to TechCrunch, identifies Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist as victims. Both received Apple’s later notifications about potential mercenary spyware, and WhatsApp had earlier warned around 90 high-risk accounts of Graphite targeting.

Delayed Disclosure and Industry Implications

Apple originally cited only an unrelated flaw in its February advisory. It took four months to publicly acknowledge the iCloud Link issue. For defenders, this highlights the challenge of tracking silent patches and underscores the need for continuous monitoring of vendor advisories.

Lessons for Security Teams

• Ensure all devices run the latest iOS builds and cross-verify patch notes.
• Monitor silent advisory updates and leverage third-party vulnerability intelligence feeds.
• Educate high-risk users—journalists, activists, and executives—on detecting unusual media link behaviour.

Paragon’s exploitation of iOS 18.3.1 serves as a stark reminder: even minor logic flaws in popular platforms can open doors to elite spyware. Staying ahead means combining rapid patch management with proactive threat hunting and user education.