MENLO PARK, Calif. - Aug 30, 2025 (UTC) - WhatsApp has patched a critical security vulnerability in its iOS and Mac applications that was actively exploited by attackers to deploy advanced spyware on Apple devices, the Meta-owned company announced. The zero-click attack, which required no user interaction to compromise devices, represents one of the most sophisticated mobile surveillance campaigns discovered this year.
The vulnerability, tracked as CVE-2025-55177, was used in conjunction with a separate Apple security flaw to target specific individuals with government-grade spyware over a three-month period. Security researchers describe the attack as particularly dangerous because victims had no way to detect or prevent the compromise, which could access all device data including private messages, contacts, and sensitive documents.
The Vulnerability Details
The security flaw, officially designated as CVE-2025-55177 with a CVSS severity score of 8.0, stems from insufficient authorization controls in WhatsApp’s linked device synchronization messaging system. This vulnerability allowed malicious actors to trigger the processing of content from arbitrary URLs on targeted devices without requiring any user interaction.
The attack specifically targeted:
- WhatsApp for iOS versions prior to 2.25.21.73
- WhatsApp Business for iOS version 2.25.21.78
- WhatsApp for Mac version 2.25.21.78
Chained Attack Strategy
Security researchers revealed that attackers combined the WhatsApp vulnerability with a separate Apple security flaw (CVE-2025-43300) to create a devastating attack chain. The Apple vulnerability, an out-of-bounds write issue in the ImageIO framework, was patched by Apple last week after the company acknowledged it had been exploited in “extremely sophisticated attacks against specific targeted individuals.”
The two-stage attack worked as follows:
- Initial Compromise: The WhatsApp flaw tricked victim devices into fetching and processing malicious content from attacker-controlled URLs
- Code Execution: The Apple ImageIO vulnerability then enabled attackers to achieve remote code execution through malicious image processing
Scale and Impact
According to Meta spokesperson Margarita Franklin, the company detected and patched the vulnerability “a few weeks ago” and sent notifications to “less than 200” affected WhatsApp users. However, security experts suggest the actual scope of the campaign may be broader.
Donncha Ó Cearbhaill, who leads Amnesty International’s Security Lab, characterized the incidents as an “advanced spyware campaign” that has been active for approximately 90 days, targeting users since late May 2025. The attack was capable of completely compromising victim devices and accessing all stored data, including private messages.
Government Spyware Connection
While the specific perpetrators remain unidentified, the sophisticated nature of the attack and its targeting patterns suggest the involvement of commercial spyware vendors that typically sell surveillance tools to government agencies. The zero-click nature of the attack—requiring no user interaction—is a hallmark of high-end commercial spyware products.
This incident adds to WhatsApp’s ongoing battles with government surveillance tools. Earlier this year, a U.S. court ordered spyware manufacturer NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that compromised over 1,400 users’ devices using the company’s Pegasus spyware.
User Protection Measures
WhatsApp has advised affected users to take several protective steps:
- Perform a complete factory reset of their devices
- Ensure their operating systems are updated to the latest versions
- Update WhatsApp to the most recent version
- Remain vigilant for unusual device behavior
The company’s internal security team discovered the vulnerability and implemented fixes across all affected platforms. Users should verify they’re running the latest versions of WhatsApp and ensure automatic updates are enabled.
Broader Security Implications
This attack highlights the continuing evolution of commercial spyware capabilities and their targeting of civil society, journalists, and human rights defenders. The successful chaining of vulnerabilities across different platforms demonstrates the sophisticated resources available to state-sponsored and commercial surveillance operators.
Security researchers emphasize that zero-click attacks represent one of the most serious threats in mobile security, as they can compromise devices without any warning signs or required user actions. The incident underscores the importance of rapid security updates and the ongoing cat-and-mouse game between technology companies and surveillance vendors.
Users who believe they may have been targeted by the spyware campaign are encouraged to contact security researchers through established secure channels to help investigate the scope and attribution of the attacks.
