WhatsApp fixes 'zero-click' flaw that targeted Apple users
What's the story
WhatsApp has fixed a critical security flaw in its iOS and Mac apps, which was being exploited in a spyware campaign. The vulnerability, tracked as CVE-2025-55177, was linked to another bug in Apple devices (CVE-2025-43300), both of which formed a "zero-click" exploit. This type of attack doesn't require any interaction from the victim to compromise their device.
Targeted attack
Attackers accessed sensitive data, including private messages
The spyware campaign had been active since late May and was described as highly sophisticated by Amnesty International's Security Lab. The combination of the two bugs allowed attackers to access sensitive data, including private WhatsApp messages. Meta, WhatsApp's parent company, detected the activity weeks ago and notified fewer than 200 affected users. However, they have not disclosed who was behind these attacks.
Previous incidents
WhatsApp previously targeted by NSO Group
This isn't the first time that WhatsApp has been targeted by surveillance vendors. In 2019, spyware maker NSO Group exploited a similar zero-day vulnerability to install Pegasus spyware. A US court later ordered NSO to pay WhatsApp $167 million in damages. Earlier this year, the messaging service also thwarted a campaign using Paragon spyware that targeted journalists in Italy.
Persistent risk
Zero-day vulnerabilities pose significant risks
The latest discovery highlights the persistent threat of zero-day vulnerabilities being exploited against high-risk individuals, even on fully patched Apple devices. Donncha O Cearbhaill, head of Amnesty International's Security Lab, described the attack as an "advanced spyware campaign" targeting users over the past 90 days. He confirmed that dozens of WhatsApp users were targeted with this pair of flaws.