Home » Security News » WhatsApp Patches Security Flaw Exploited in Target...

WhatsApp Patches Security Flaw Exploited in Targeted Zero-Day Attacks

Deepanker Verma August 30, 2025 Security

Add Techlomedia as a preferred source on Google.

WhatsApp has fixed a serious security flaw that was being used in real-world attacks. The vulnerability was found in its iOS and macOS apps and is believed to have been linked with a recently disclosed Apple zero-day.

The issue is tracked as CVE-2025-55177 and carries a CVSS score of 8.0. It was discovered by WhatsApp’s own security team. The flaw was caused by insufficient authorization of linked device synchronization messages. In simple terms, it could have allowed an attacker to make the app process content from an external URL on a victim’s device.

The affected versions include:

WhatsApp for iOS before 2.25.21.73
WhatsApp Business for iOS before 2.25.21.78
WhatsApp for Mac before 2.25.21.78

Meta has said that attackers may have combined this flaw with another Apple vulnerability, CVE-2025-43300, to carry out sophisticated attacks against specific targets. That Apple flaw is an out-of-bounds write issue in the ImageIO framework. It could lead to memory corruption when a malicious image is processed. Apple confirmed last week that CVE-2025-43300 had already been exploited in advanced spyware attacks.

Amnesty International’s Security Lab has also weighed in. Donncha Ó Cearbhaill, head of the lab, said that WhatsApp notified some people who were targeted in the last 90 days. These victims are believed to be part of an advanced spyware campaign.

🚨 BREAKING: New zero-click exploit used to hack WhatsApp users.

WhatsApp has just sent out a round of threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days.

Seek out expert help if you have received this alert pic.twitter.com/i4cHLsiNOr
— Donncha Ó Cearbhaill (@DonnchaC) August 29, 2025

The alerts sent by WhatsApp recommend users to perform a factory reset of their devices and to keep both the operating system and WhatsApp updated. At this point, it is not clear who is behind the attacks or which spyware vendor is involved.

What makes this case more worrying is that the flaws can be abused in a “zero-click” attack. Victims do not need to click on a link or perform any action. The attack happens silently in the background.

Ó Cearbhaill also said that early signs suggest that both iPhone and Android users are being targeted. Civil society members, journalists, and human rights defenders are likely among those affected.

This is not the first time we are seeing such spyware-driven zero-day chains. Over the last few years, spyware makers have repeatedly used zero-click techniques to bypass device security and silently compromise high-profile targets.

For now, the best step for users is to update their devices and apps immediately. In cases where spyware infection is suspected, a factory reset may be the only reliable option.

Follow Techlomedia on Google News to stay updated.

Affiliate Disclosure:

This article may contain affiliate links. We may earn a commission on purchases made through these links at no extra cost to you.

About the Author: Deepanker Verma

Deepanker Verma is the Founder and Editor-in-Chief of TechloMedia. He holds Engineering degree in Computer Science and has over 15 years of experience in the technology sector. Deepanker bridges the gap between complex engineering and consumer electronics. He is also a a known Security Researcher acknowledged by global giants including Apple, Microsoft, and eBay. He uses his technical background to rigorously test gadgets, focusing on performance, security, and long-term value.