WhatsApp has patched a critical security vulnerability in its iOS and Mac apps that allowed attackers to silently compromise Apple devices. The flaw, identified as CVE-2025-55177, worked alongside a separate iOS/macOS vulnerability (CVE-2025-43300) that Apple fixed last week. Combined, these bugs enabled attackers to deliver spyware without any interaction from the user. This type of exploit, known as a “zero-click” attack, highlights ongoing concerns about targeted cyber threats even on fully patched devices.
The Vulnerability and Apple’s Role
The vulnerability in WhatsApp allowed attackers to deliver malicious payloads to Apple devices over the messaging platform. Victims did not need to click any links or download files for the attack to succeed. Once the exploit was triggered, attackers could access private messages, contacts, photos, and other sensitive data stored on the device. This attack demonstrates the increasing sophistication of spyware campaigns that specifically target high-profile individuals, journalists, and human rights activists..
Targeted Attack Campaign
Amnesty International’s Security Lab confirmed that the attacks occurred over a 90-day period starting in late May. According to reports, the campaign targeted a small number of high-value users. WhatsApp sent notifications to fewer than 200 affected users, urging them to update their apps immediately. Experts warn that even a small-scale attack like this can have serious consequences, especially for users handling sensitive information in professional or activist roles.
Unclear Attacker Identity
Despite the scale and sophistication of the attacks, WhatsApp and Apple have not publicly attributed the hacks to a specific individual, organization, or government entity. Meta confirmed the vulnerability was patched weeks ago but did not share evidence linking the attacks to any known spyware vendor. The anonymity of the attackers underlines the challenges in tracking cyber espionage campaigns, where state or commercial spyware tools can be deployed with little traceability.
Past Spyware Incidents
This is not the first time WhatsApp users have been targeted by sophisticated spyware. In 2019, NSO Group used a similar method to deliver Pegasus spyware to more than 1,400 users, leading to a $167 million legal ruling against the company. Earlier this year, WhatsApp also disrupted a campaign targeting journalists and civil society members in Italy, where spyware from Paragon was exploited. These incidents demonstrate a pattern of attacks against messaging platforms, highlighting the need for users to stay vigilant and keep software up to date.
How Users Can Protect Themselves
To minimize risk, users should always update WhatsApp and their device’s operating system to the latest versions. Be cautious about suspicious messages or unexpected prompts, even on fully patched devices. Users handling sensitive information should consider additional security measures, such as device encryption, secure backups, and using alternative communication channels for highly confidential discussions. Staying informed about security advisories and promptly applying patches is critical in preventing similar attacks in the future.
Future Outlook on Messaging Security
The recent zero-click vulnerability in WhatsApp underscores the evolving landscape of cyber threats. As attackers develop more sophisticated methods, messaging platforms must continually invest in proactive security measures and rapid response mechanisms.
Experts predict that future spyware campaigns will increasingly target high-value users, including journalists, activists, and executives, using techniques that bypass traditional security checks. This makes continuous software updates, real-time threat monitoring, and user education more critical than ever.
For messaging app providers, building trust will depend on transparency, timely patching of vulnerabilities, and collaboration with cybersecurity organizations. For users, adopting a security-first mindset—regular updates, strong device security, and cautious handling of sensitive information—will be essential to safeguard personal and professional data.
The overarching goal is a digital environment where secure communication is the norm, and even advanced spyware campaigns are detected and neutralized before significant damage can occur.
