WhatsApp has patched a critical security flaw in its iOS and Mac apps that hackers were exploiting in a stealthy spyware campaign, without users ever clicking a link or opening a file.
The Meta-owned messaging platform said the vulnerability — tracked as CVE-2025-55177 — was paired with another vulnerability (CVE-2025-43300) in Apple’s software that the company patched last week. Together, they created what security experts call a “zero-click” exploit — a hack that allowed hackers to sneak into iPhones and Macs with no action required from the user.
“Incomplete authorization of linked device synchronization messages in WhatsApp [..] could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device,” WhatsApp wrote in a Friday security advisory.
“We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.”
This zero-click flaw affected WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.
Earlier this month, Apple rolled out emergency updates to fix the CVE-2025-43300 zero-day flaw, noting that it had already been exploited in an “extremely sophisticated attack.”
While the two companies have to publicly identify who was behind the attacks, Donncha Ó Cearbhaill (the head of the Security Lab at Amnesty International) said that WhatsApp recently alerted some users who were hit by an “advanced spyware campaign” that ran for about 90 days. This campaign has affected fewer than 200 people around the world, including members of civil society.
Table Of Contents
WhatsApp’s Response
“We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or be targeted in other ways,” the WhatsApp alerts read.
Donncha Ó Cearbhaill described that the campaign was designed to break into iPhones and Macs remotely, with no warning signs received by the victims that their devices were compromised, while giving attackers access to private messages and sensitive data.
“Also important: the Apple vulnerability was in a core image library, targeting possible through other apps besides WhatsApp,” added Donncha Ó Cearbhaill.
This isn’t the first time WhatsApp has been used as a delivery channel for government-grade spyware. In 2019, the company sued Israeli spyware vendor NSO Group after its Pegasus malware infiltrated over 1,400 devices, including journalists and activists. More recently, WhatsApp said that it disrupted another campaign targeting civil society groups in Italy.
Security experts caution that these attacks show the growing power of the surveillance industry. By exploiting previously unknown vulnerabilities, attackers can infiltrate even the most up-to-date devices. Unlike phishing attempts, zero-click exploits don’t depend on user actions, which makes them nearly impossible to prevent and defend against.
What Should You Do?
For everyday WhatsApp users, the risk is extremely low. However, it is critical to update your apps and operating system as soon as possible.
For journalists, activists, and others in sensitive fields, security experts also recommend turning on Apple’s Lockdown Mode or Android’s Advanced Protection Mode for an extra layer of defense. As spyware makers are constantly hunting for weaknesses, keeping devices patched and up to date is the best line of defense once patches are available.
