WhatsApp 0-Day Exploited in Attacks on Targeted iOS and macOS Users

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The flaw was used to steal data. Update your app now to stay protected.

WhatsApp has revealed it has patched a serious security vulnerability in its apps for Apple devices that was used to secretly compromise the iPhones and Macs of “specific targeted users.”

The bug, identified as CVE-2025-55177, was discovered by WhatsApp’s internal security team. The company explained in its official advisory that the flaw was part of a sophisticated attack chain that linked two separate vulnerabilities. This is a zero-click attack method, which does not require a victim to click on a link, open a file, or take any other action for their device to be compromised.

The flaw itself was a case of “incomplete authorisation of linked device synchronisation messages,” the advisory explains. This allowed an unrelated user to force a target’s device to process content from a malicious web address.

When paired with a separate Apple flaw, CVE-2025-43300 (which Apple had already fixed), in how it handles images, this attack chain could be used to install a malicious program and steal data without any user interaction. It is worth noting that the flaw affects WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS before version 2.25.21.78, and WhatsApp for Mac before version 2.25.21.78. WhatsApp confirmed it had sent notifications to “less than 200” users it believed had been affected.

According to a statement from the National Cybersecurity Agency (NCSA) in Qatar, the severity of this flaw lies in its mechanism for processing synchronisation messages between linked devices, which could allow a hacker to gain initial access to a victim’s device.

#Meta, the owner of the famous chat app #WhatsApp, has announced the existence of a critical vulnerability in the app. The severity of this flaw lies in the mechanism for processing synchronization messages between linked devices, allowing an attacker to send a crafted… pic.twitter.com/dYIwdij0gP

— Qatar Tribune (@Qatar_Tribune) August 30, 2025

Amnesty International’s Security Lab, led by Donncha Ó Cearbhaill, described the pair of bugs as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May, and was capable of stealing data from a user’s device, including messages. In a post on X, Cearbhaill also shared necessary tips, advising people to update their devices or perform a factory reset.

(X.com)

While it’s not yet clear who is behind this latest attack, it is not the first time that WhatsApp users have been targeted by advanced spyware. In 2019, the messaging app sued the spyware maker NSO Group for a hacking campaign that compromised more than 1,400 users with its Pegasus spyware. A US court later ordered the company to pay WhatsApp $167 million in damages.

This new incident shows the ongoing threat of government spyware and malware. It also emphasises why users should always keep their apps and operating systems updated, as these updates often contain critical security patches to protect against such sophisticated attacks.