WhatsApp has fixed a critical security flaw in its iOS and Mac apps that was used to hack into the Apple devices of targeted users. The company said on Friday that the bug, identified as CVE-2025-55177, was exploited alongside a separate Apple vulnerability, CVE-2025-43300, which the iPhone maker patched last week.
Apple described the flaw as part of an “extremely sophisticated attack against specific targeted individuals.” Security researchers now confirm that dozens of WhatsApp users were targeted through this pair of vulnerabilities.
Zero-Click Spyware Campaign
According to Donncha Ó Cearbhaill (via Techcrunch), who leads Amnesty International’s Security Lab, the two flaws enabled a “zero-click” spyware attack. In this type of intrusion, victims do not need to click a link or interact with their device for the compromise to succeed. The bugs allowed attackers to send a malicious exploit through WhatsApp, giving them access to device data, including messages. Ó Cearbhaill said the campaign targeted users since late May and shared screenshots of WhatsApp’s threat notifications sent to affected individuals.
Meta spokesperson Margarita Franklin confirmed that WhatsApp detected and patched the flaw “a few weeks ago” and had notified fewer than 200 users. The company did not attribute the attack to any specific group or spyware vendor.
This marks another instance of WhatsApp being used as a delivery vector for government-grade spyware. In May, a U.S. court ordered Israeli spyware maker NSO Group to pay $167 million in damages for a 2019 hacking campaign that compromised more than 1,400 WhatsApp users with Pegasus spyware. The lawsuit accused NSO of violating federal and state hacking laws and WhatsApp’s own terms of service.
Earlier this year, WhatsApp also disrupted a spyware campaign that targeted about 90 users, including journalists and civil society members in Italy. The Italian government denied involvement, and spyware vendor Paragon later cut off Italy from its tools, citing abuse concerns.
