French Advisory Sheds Light on Apple Spyware Activity
Summary
France’s national cybersecurity team, CERT-FR (ANSSI), has published an advisory revealing that Apple sent several private threat notifications this year to individuals targeted by sophisticated spyware. The advisory confirms four Apple notifications in 2025 (March 5, April 29, June 25 and Sept 3) and warns that receipt of a notification means at least one device tied to the recipient’s iCloud account was targeted and potentially compromised.
CERT-FR highlighted that mercenary spyware such as Pegasus, Predator, Graphite and Triangulation are hard to detect and often exploit zero-day memory-safety flaws. The Sept 3 notification followed Apple’s disclosure of CVE-2025-43300 in the ImageIO framework (disclosed 20 Aug), which Apple said had been used in “extremely sophisticated” targeted attacks. Earlier in the year, a March notification came shortly before Apple disclosed CVE-2025-24201 in WebKit.
To mitigate risk, CERT-FR recommends prompt updates (or enabling automatic updates), enabling Lockdown Mode and daily device restarts. Apple also recently unveiled Memory Integrity Enforcement (MIE), a hardware-backed defence aimed at improving memory safety to blunt such spyware chains.
Key Points
- CERT-FR confirmed four Apple threat notifications in 2025 indicating targeted spyware attempts against iCloud-linked devices.
- Notifications are private to recipients, so public visibility on the timing and scope of attacks is limited.
- The Sept 3 notification followed disclosure of ImageIO zero-day CVE-2025-43300, which Apple said was exploited in highly targeted attacks.
- Earlier March notifications preceded disclosure of a WebKit zero-day (CVE-2025-24201); links between notifications and specific CVEs remain unclear.
- Known mercenary spyware (Pegasus, Predator, Graphite, Triangulation) commonly exploit memory-safety vulnerabilities and can work without user interaction.
- CERT-FR mitigation advice: install updates promptly, enable Lockdown Mode and restart devices regularly.
- Apple announced Memory Integrity Enforcement (MIE) to strengthen chip-level memory defences against exploit chains.
Why should I read this?
Short version: if you use Apple kit or look after people who do, this matters. The advisory confirms targeted spyware is active, notifications are quietly sent to victims (so most incidents stay invisible), and attackers keep exploiting zero-days. Quick fixes? Patch, switch on Lockdown Mode and restart daily — but don’t kid yourself, the threat is ongoing.
Author’s take
Punchy and to the point: CERT-FR’s disclosure peels back the curtain a little on what’s been happening behind the scenes. Apple’s private notifications mean adversaries can operate for months before users even know — that’s worrying. Apple’s MIE is a step forward, but defenders need to keep devices updated and assume targeted actors will keep probing memory-safety flaws.
Context and relevance
This advisory is important because it provides rare public confirmation of discrete targeting events that otherwise remain private. It ties into wider trends: mercenary spyware leveraging memory-safety bugs, zero-click/zero-day exploitation, and technology vendors responding with hardware and OS mitigations. For security teams, civil-society actors and high-risk individuals, the advisory underscores the need for rapid patching, defensive configuration and threat monitoring.