CISA has added a critical iOS zero-click vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw has been actively exploited by sophisticated mercenary spyware in targeted attacks against journalists.

The vulnerability, tracked as CVE-2025-43200, affects multiple Apple products, including iOS, iPadOS, macOS, watchOS, and visionOS, allowing attackers to compromise devices without any user interaction through maliciously crafted photos or videos shared via iCloud Links.