On Friday, WhatsApp announced a fix for a significant security flaw that was being exploited to clandestinely attack specific Apple users’ devices.
The popular messaging app, owned by Meta, detailed in a security advisory that it has rectified a vulnerability formally recognized as CVE-2025-55177. This issue was compounded by another flaw in Apple’s iOS and Mac systems, which has been addressed previously and carries the designation CVE-2025-43300.
Apple initially reported that this vulnerability facilitated a “highly sophisticated” attack targeting specific individuals. Current insights reveal that dozens of WhatsApp users fell victim to this dual threat.
Donncha Ó Cearbhaill, who leads the Security Lab at Amnesty International, described this incident on X as part of an “advanced spyware campaign,” which has been operational for about 90 days, starting in late May. He defined this exploitation method as a “zero-click” attack, indicating victims had no need to click anywhere or interact with anything for their device to be compromised.
These two interconnected vulnerabilities enable attackers to deliver malicious exploits via WhatsApp, resulting in potential data theft from victims’ devices.
Ô Cearbhaill shared a notification example sent by WhatsApp to users caught in this breach, explicating that the attack could “compromise your device and the information it stores, including messages.”
Details about the identity of those behind the attacks, or which spyware firm might be involved, remain obscure.
In a statement to TechCrunch, Meta’s representative, Margarita Franklin, confirmed that this vulnerability was discovered and addressed “a few weeks ago,” and less than 200 notifications were sent out to affected WhatsApp users.
Franklin could not provide specifics regarding whether WhatsApp has conclusive evidence linking the hacks to any particular attacker or surveillance entity.
This incident marks yet another instance of spyware targeting WhatsApp users. Such threats can invade well-secured devices by leveraging zero-day vulnerabilities that the software developers are unaware of.
Earlier, a U.S. court mandated the spyware firm NSO Group to compensate WhatsApp with $167 million for a hacking incident in 2019, which penetrated over 1,400 WhatsApp users’ devices through the implementation of NSO’s Pegasus spyware. WhatsApp pursued legal action against NSO Group for violations of federal and state hacking laws, alongside an infringement of its service terms.
Earlier this year, WhatsApp also thwarted a spyware initiative affecting around 90 individuals, including journalists and activists in Italy. The Italian government denied any participation in this spying. Eventually, the spyware firm behind the attack ceased their services to Italy due to failure in probing the misuse.
If you’ve received a notification on device compromise, reach out to this reporter securely at username zackwhittaker.1337 on Signal.
