WhatsApp Fixes Zero-Click Spyware Flaw After Highly Targeted Attacks

WhatsApp has quietly patched a serious security hole that was exploited in a sophisticated spyware operation aimed at fewer than 200 users worldwide. The company has confirmed that the bug, now tracked as CVE-2025-55177, affected both its iOS and macOS apps and allowed attackers to compromise devices without requiring victims to click anything.

The vulnerability was chained with a separate Apple flaw, CVE-2025-43300, which Apple had already fixed. Apple previously described that exploit as part of a “highly targeted attack” campaign. Together, the two weaknesses gave attackers the ability to silently infiltrate a device, potentially stealing messages and personal data.

Emergency Update Rolled Out

Meta’s security team, which oversees WhatsApp, detected the exploit and quickly pushed emergency updates for WhatsApp on iPhone and Mac. The company also sent out direct threat notifications to those believed to be affected.

Meta confirmed the number of targeted users was under 200, highlighting that this was not a widespread attack but a precise, highly resourced campaign. The company is urging all users, regardless of whether they received a notification, to immediately update WhatsApp and Apple devices to the latest versions.

Spyware Investigation Underway

Amnesty International’s Security Lab is investigating the breach, examining multiple suspected victims to determine exactly how the spyware was deployed. So far, no spyware vendor or hacking group has claimed responsibility, and forensic teams are still piecing together the full attack chain.

How the Exploit Worked

According to initial technical details, the WhatsApp flaw was tied to how the app handled linked device messages. When paired with Apple’s ImageIO memory corruption bug, attackers could deliver malicious code directly to the device—requiring no user interaction. Once exploited, this gave attackers a window into the victim’s private messages and files.

What Users Should Do

While the campaign targeted a small group, security experts stress that everyone should update their apps and operating systems to stay protected. Users are advised to:

• Update WhatsApp via the official App Store or Mac App Store
• Install the latest iOS and macOS security patches
• Review their linked devices in WhatsApp settings
• Enable strong device locks and be cautious of unusual notifications

If you receive a WhatsApp threat alert, follow the in-app guidance and consult your device vendor for additional support.