Researchers discovered attackers may have combined a WhatsApp zero-click exploit with a serious Apple flaw to compromise devices. After the discovery, WhatsApp patched the vulnerability, confirming that it affected both iOS and macOS users and that attackers had actively exploited it in targeted spyware campaigns.
Details of the WhatsApp Zero-Click Exploit
The vulnerability, tracked as CVE-2025-55177 with a CVSS score of 5.4, stemmed from insufficient authorization of linked device synchronization messages. This shortcoming could have allowed attackers to trigger the processing of malicious content from an arbitrary URL on a victim’s device — without requiring any user interaction.
WhatsApp patched the issue in the following versions:
- WhatsApp for iOS prior to version 2.25.21.73 (patched July 28, 2025)
- WhatsApp Business for iOS version 2.25.21.78 (patched August 4, 2025)
- WhatsApp for Mac version 2.25.21.78 (patched August 4, 2025)
Connection to Apple’s Zero-Day CVE-2025-43300
Security experts believe the WhatsApp zero-click exploit may have been chained with CVE-2025-43300, a critical Apple vulnerability disclosed last week. The flaw, located in Apple’s ImageIO framework, was an out-of-bounds write bug that allowed memory corruption when processing malicious images.
Apple confirmed that attackers had used CVE-2025-43300 in ‘extremely sophisticated attacks’ against targeted individuals, and warned that the combined exploitation suggested a coordinated spyware campaign.
Who Was Targeted?
According to Amnesty International’s Donncha Ó Cearbhaill, WhatsApp alerted fewer than 200 people who may have been targeted by the spyware attacks. These individuals included journalists, civil society members, and human rights defenders.
In its notifications, WhatsApp advised affected users to:
- Perform a full device factory reset
- Update their operating system immediately
- Ensure they are running the latest WhatsApp version
Ó Cearbhaill described the pair of vulnerabilities as a “zero-click” attack, meaning victims did not need to click on any links or interact with content for their devices to be compromised.
Broader Implications of the Exploit
The discovery of the WhatsApp zero-click exploit underscores the growing threat posed by government-grade spyware. Such attacks increasingly target individuals critical of governments or engaged in sensitive work.
These incidents highlight:
- The importance of regular updates to apps and operating systems
- The need for strong security monitoring for high-risk groups
- The ongoing challenge of balancing accessibility with security in widely used apps like WhatsApp
The patching of the WhatsApp zero-click exploit is a crucial step in protecting users from advanced spyware threats. However, as attackers continue to exploit zero-day vulnerabilities, staying secure requires constant vigilance. Regularly updating apps, enabling threat notifications, and practicing good digital hygiene remain essential for individuals — particularly those in at-risk communities.
