WhatsApp Fixes ‘Zero-Click’ Vulnerability Used to Hack Apple Users with Spyware

On Friday, WhatsApp revealed it has fixed a security vulnerability in its iOS and Mac applications that was being exploited to secretly access the devices of “specific targeted users.”

The messaging leader, part of Meta, stated in its security advisory that the flaw, designated as CVE-2025-55177, was exploited alongside another issue in iOS and Macs, which Apple addressed last week and labeled as CVE-2025-43300.

Apple had previously indicated that this vulnerability was part of an “extremely sophisticated attack against specific targeted individuals.” It has now come to light that many WhatsApp users were impacted by the interplay of these vulnerabilities.

Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, referred to the incident as an “advanced spyware campaign” targeting users over the last 90 days, starting from late May. Ó Cearbhaill described the two vulnerabilities as a “zero-click” attack, meaning no action from the victim, such as clicking a link, is required for their device to be compromised.

Linking these two vulnerabilities allows an attacker to launch a malicious exploit via WhatsApp that can extract data from the user’s Apple device.

According to Ó Cearbhaill, who shared the alert WhatsApp sent to affected users, the attack could “compromise your device and the data it holds, including messages.”

The identity of the attackers or the specific spyware vendor involved remains unclear.

In a statement to TechCrunch, Meta spokesperson Margarita Franklin confirmed that the company identified and resolved the vulnerability “a few weeks ago,” noting that “less than 200” notifications were sent to affected WhatsApp users.

When asked, the spokesperson did not disclose whether WhatsApp has any evidence linking the hacks to a particular attacker or surveillance vendor.

This is not the first case of government spyware targeting WhatsApp users, as such malware can penetrate fully patched devices through unknown vulnerabilities, known as zero-day flaws.

In May, a U.S. court ordered spyware creator NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking operation that violated the devices of over 1,400 WhatsApp users with an exploit that deployed NSO’s Pegasus spyware. WhatsApp sued NSO, claiming violations of federal and state hacking laws as well as its terms of service.

Earlier this year, WhatsApp blocked a spyware operation aimed at around 90 users, including journalists and members of civil society in Italy. The Italian government denied any involvement in the espionage campaign. Paragon, the vendor responsible for the spyware, later terminated its relationship with Italy for failing to investigate the misuse.

If you received a notification indicating that your device was compromised, please contact this reporter securely via the username zackwhittaker.1337 on Signal.