WhatsApp announced on Friday that it has patched a critical security flaw in its iOS and Mac applications that was actively exploited to infiltrate Apple devices belonging to specifically targeted users.

According to the company’s security advisory, the vulnerability—tracked as CVE-2025-55177—was exploited in combination with another flaw in iOS and macOS (CVE-2025-43300), which Apple fixed last week. Apple previously described the exploit as part of an “extremely sophisticated attack” aimed at a small group of individuals. It has since been confirmed that dozens of WhatsApp users were affected.

Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, described the incident on X as an “advanced spyware campaign” that has been active for the past 90 days, dating back to late May. He noted that the vulnerabilities were leveraged in a zero-click attack, requiring no user interaction such as clicking a link, making it especially dangerous.

By chaining the two flaws together, attackers could deliver a malicious payload through WhatsApp capable of extracting sensitive data from the victim’s Apple device. According to Ó Cearbhaill, WhatsApp’s threat notifications to impacted users stated that the exploit could compromise both the device and its stored data, including private messages.

It remains unclear who was behind the attack or which spyware vendor developed the tools. Meta spokesperson Margarita Franklin told TechCrunch that WhatsApp detected and resolved the flaw “a few weeks ago” and subsequently issued fewer than 200 notifications to affected users. The company has not attributed the campaign to a specific actor or surveillance group.

This incident underscores a recurring threat. WhatsApp users have been repeatedly targeted by government-grade spyware—malware capable of exploiting zero-day vulnerabilities in fully updated devices.

In May, a U.S. court ordered NSO Group to pay WhatsApp $167 million in damages for its 2019 campaign that compromised over 1,400 users by deploying its Pegasus spyware. WhatsApp pursued legal action against NSO, citing violations of U.S. hacking laws and its own terms of service.

More recently, WhatsApp disrupted another spyware campaign targeting approximately 90 individuals, including journalists and civil society members in Italy. The Italian government denied involvement, and the spyware vendor Paragon later cut off Italy’s access to its tools after failing to investigate the abuse.

This latest case highlights the continued evolution of surveillance threats and the importance of rapid patching and user awareness.

Source: https://techcrunch.com/2025/08/29/whatsapp-fixes-zero-click-bug-used-to-hack-apple-users-with-spyware