French Advisory Exposes Apple Spyware Concerns

France’s national cybersecurity agency said Apple recently sent out notifications to individuals warning that they had been targeted in spyware attacks.

Since 2021, Apple has sent threat notifications to individuals targeted by spyware attacks. But because these notifications are sent to individual users and not made public, it’s not always clear when the attacks are occurring and if they coincide with the exploitation of zero-day vulnerabilities in Apple products.

France’s computer emergency response team (CERT-FR) published an advisory Thursday that shed more light on recent spyware attacks against Apple users. CERT-FR, which is operated by ANSSI, the country’s national cybersecurity agency, said it was aware of four such notifications from Apple this year, including the latest, issued Sept. 3.

“Receiving a notification means that at least one of the devices linked to the iCloud account has been targeted and is potentially compromised,” the CERT-FR advisory said, adding that spyware programs like Pegasus, Predator, Graphite, and Triangulation are “particularly sophisticated and difficult to detect.”

“The notification results in the receipt of an iMessage and an alert email sent by Apple (from threat-notifications[at]email.apple.com or threat-notifications[at]apple.com). When logging into the iCloud account, an alert is displayed,” CERT-FR said. “The time between the compromise attempt and the receipt of the notification is several months, but remains variable.”

Related:‘Gentlemen’ Ransomware Abuses Vulnerable Driver to Kill Security Gear

Notifications Highlight Ongoing Spyware Threat

The Sept. 3 notification followed Apple’s disclosure of CVE-2025-43300, a zero-day flaw in its ImageIO framework, on Aug. 20. Apple said the vulnerability was exploited in “an extremely sophisticated attack against specific targeted individuals,” but as usual, the technology giant shared few details about the nature of the exploitation activity or technical details for CVE-2025-43300.

CERT-FR said the September notification was one of four sent by Apple this year, with the others occurring on March 5, April 29, and June 25. The March notification was issued a week before Apple disclosed CVE-2025-24201, a zero-day vulnerability in the company’s WebKit open source browser engine that was exploited in “extremely sophisticated” attacks. It’s unclear if the March notifications were in relation to CVE-2025-24201, just as it’s unknown if the Sept. 3 notification stemmed from the most recent Apple zero-day flaw.

Dark Reading contacted Apple for comment but the company did not response at press time.

Related:Apple CarPlay RCE Exploit Left Unaddressed in Most Cars

To protect against spyware threats, which CERT-FR said often exploit zero days and require no user interaction, the agency recommended users regularly update their devices as soon as possible or enable automatic updates; enable Lockdown Mode on Apple devices; and restart devices at least once a day.

The CERT-FR advisory landed the same week Apple unveiled its Memory Integrity Enforcement (MIE), a new security architecture designed to improve memory safety and thwart spyware attacks. MIE features always-on defenses built into the chips that hardens them against commonly exploited memory flaws such as buffer overflows and use-after-free vulnerabilities.

“Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry,” Apple said in a blog post published Tuesday.