WhatsApp has rolled out an urgent security update after researchers discovered a dangerous zero-click exploit targeting iOS and macOS devices. The vulnerability, now tracked as CVE-2025-55177, could have been used in combination with another Apple flaw to launch advanced spyware attacks on targeted users.
This discovery highlights once again how messaging apps and operating systems remain prime targets for hackers and spyware vendors. Users of iPhone, iPad, and Mac are strongly advised to update both their WhatsApp application and their Apple operating system immediately.
A zero-click exploit is one of the most dangerous types of cyberattacks. Unlike phishing or malware attacks that require a user to click on a malicious link or download a file, a zero-click exploit needs no user interaction at all. Simply receiving a malicious message or image may be enough to compromise the device.
In this case, the flaw in WhatsApp was linked to how the app handled synchronization of linked devices. Hackers could potentially exploit this weakness to process content from an arbitrary URL on the victim’s device.
Vulnerability ID: CVE-2025-55177
CVSS Score: 8.0 (High Severity)
Impact: Could allow attackers to process malicious content on a victim’s device without permission
Affected Versions:
WhatsApp for iOS before version 2.25.21.73
WhatsApp Business for iOS before version 2.25.21.78
WhatsApp for Mac before version 2.25.21.78
WhatsApp’s internal security team was credited with discovering the flaw. The company confirmed that it may have been used in real-world attacks against targeted individuals.
Researchers believe that this WhatsApp flaw could have been chained together with another serious Apple vulnerability, CVE-2025-43300, disclosed last week.
CVE-2025-43300 is an out-of-bounds write vulnerability in Apple’s ImageIO framework, which processes images across iOS, iPadOS, and macOS.
Hackers could weaponize it by sending a malicious image file that triggers memory corruption, allowing them to execute code on the device.
Apple confirmed that CVE-2025-43300 was already being used in highly sophisticated attacks against targeted individuals. When combined with WhatsApp’s flaw, attackers could deliver spyware silently to victims’ devices.
According to Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, WhatsApp has already notified several users who were victims of this attack in the past 90 days.
The affected individuals are believed to include journalists, human rights defenders, and members of civil society — groups that are often targeted by government-backed spyware operations.
Ó Cearbhaill warned that the attacks are impacting both iPhone and Android users, suggesting that spyware operators are expanding their focus beyond one platform.
WhatsApp has issued the following recommendations to individuals who may have been affected:
Update WhatsApp immediately to the latest version from the App Store or official website.
Install the latest iOS or macOS updates from Apple to close related vulnerabilities.
Consider a factory reset of the device if you suspect compromise, as spyware infections can be extremely difficult to remove.
Stay vigilant against unusual device behavior such as overheating, rapid battery drain, or suspicious background activity.
The company emphasized that keeping both the app and the operating system updated is the best way to stay protected against evolving threats.
Traditional cyberattacks often rely on human error — a user clicking a phishing link or downloading a fake attachment. But zero-click attacks remove the human factor entirely.
This makes them:
Hard to detect (no obvious user interaction)
Difficult to block (exploit chains can bypass normal defenses)
Attractive to spyware vendors (ideal for surveillance on high-value targets)
Governments and private spyware firms have used similar zero-click exploits in the past, including those linked to Pegasus spyware. Such tools are often used against activists, lawyers, and political opponents.
If you use WhatsApp on iOS or macOS, you should:
Open the App Store and update WhatsApp to the latest version.
Ensure your device is running the latest version of iOS, iPadOS, or macOS.
Enable automatic updates for both apps and the operating system.
Use strong device security settings, such as enabling Face ID, two-factor authentication, and encrypted backups.
If you are a high-risk individual (such as a journalist, activist, or business executive), consider taking additional steps like using a separate secure device, threat monitoring tools, or consulting digital security experts.
The discovery of CVE-2025-55177 in WhatsApp, along with Apple’s CVE-2025-43300, shows that zero-click exploits are becoming one of the biggest cybersecurity risks in 2025. These flaws demonstrate how attackers can combine weaknesses in apps and operating systems to deliver spyware silently and effectively.
For everyday users, the best defense remains simple but essential: keep your apps and devices updated, avoid unofficial software, and remain alert to potential security alerts. For those in sensitive professions, the stakes are higher — and taking proactive digital security measures could make the difference between safety and compromise.
Interesting Article : FreePBX Zero-Day Exploit Hits Servers, Emergency Patch Released
Pingback: CVE-2025-49870: WordPress Paid Membership Plugin Users at Risk from SQL Injection