WhatsApp has fixed a serious security flaw that was being used in real-world attacks. The vulnerability was found in its iOS and macOS apps and is believed to have been linked with a recently disclosed Apple zero-day.
The issue is tracked as CVE-2025-55177 and carries a CVSS score of 8.0. It was discovered by WhatsApp’s own security team. The flaw was caused by insufficient authorization of linked device synchronization messages. In simple terms, it could have allowed an attacker to make the app process content from an external URL on a victim’s device.
The affected versions include:
- WhatsApp for iOS before 2.25.21.73
- WhatsApp Business for iOS before 2.25.21.78
- WhatsApp for Mac before 2.25.21.78
Meta has said that attackers may have combined this flaw with another Apple vulnerability, CVE-2025-43300, to carry out sophisticated attacks against specific targets. That Apple flaw is an out-of-bounds write issue in the ImageIO framework. It could lead to memory corruption when a malicious image is processed. Apple confirmed last week that CVE-2025-43300 had already been exploited in advanced spyware attacks.
Amnesty International’s Security Lab has also weighed in. Donncha Ó Cearbhaill, head of the lab, said that WhatsApp notified some people who were targeted in the last 90 days. These victims are believed to be part of an advanced spyware campaign.
The alerts sent by WhatsApp recommend users to perform a factory reset of their devices and to keep both the operating system and WhatsApp updated. At this point, it is not clear who is behind the attacks or which spyware vendor is involved.
What makes this case more worrying is that the flaws can be abused in a “zero-click” attack. Victims do not need to click on a link or perform any action. The attack happens silently in the background.
Ó Cearbhaill also said that early signs suggest that both iPhone and Android users are being targeted. Civil society members, journalists, and human rights defenders are likely among those affected.
This is not the first time we are seeing such spyware-driven zero-day chains. Over the last few years, spyware makers have repeatedly used zero-click techniques to bypass device security and silently compromise high-profile targets.
For now, the best step for users is to update their devices and apps immediately. In cases where spyware infection is suspected, a factory reset may be the only reliable option.
