WhatsApp announced on Friday that it has fixed a security vulnerability in its iOS and Mac applications. This bug was actively exploited to covertly hack into the Apple devices of specific, targeted individuals.
The messaging app, owned by Meta, stated in a security advisory that it resolved the issue, officially identified as CVE-2025-55177. This vulnerability was used in conjunction with a separate flaw in iOS and Macs, which Apple patched last week under the tracking number CVE-2025-43300. Apple had previously noted that its flaw was part of an extremely sophisticated attack aimed at specific targets. It is now known that dozens of WhatsApp users were targeted using this pair of security flaws.
Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, characterized the attack as an advanced spyware campaign. He reported that users were targeted over the past 90 days, since the end of May. Ó Cearbhaill described the combined bugs as a zero-click attack, meaning it could compromise a device without requiring any interaction from the victim, such as clicking a link.
When chained together, these two vulnerabilities enable an attacker to deliver a malicious exploit through WhatsApp. This exploit is capable of stealing data from the user’s Apple device. According to Ó Cearbhaill, who shared a copy of the threat notification sent by WhatsApp, the attack could compromise the device and the data it contained, including personal messages.
It remains unclear who is behind these attacks or which spyware vendor is responsible. When contacted by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw a few weeks ago. She stated that WhatsApp sent fewer than 200 notifications to affected users. When asked, the spokesperson did not confirm if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.
This is not the first instance of WhatsApp users being targeted by government spyware, a type of malware that can break into fully updated devices using vulnerabilities unknown to the software vendor, known as zero-day flaws.
In May, a U.S. court ordered the spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign. That campaign breached the devices of over 1,400 WhatsApp users with an exploit designed to install NSO’s Pegasus spyware. WhatsApp pursued the legal case against NSO, citing violations of federal and state hacking laws, as well as its own terms of service.
Earlier this year, WhatsApp disrupted another spyware campaign that targeted approximately 90 users, including journalists and members of civil society in Italy. The Italian government denied any involvement in that spying campaign. Paragon, the company whose spyware was used, later terminated its contract with the Italian government for failing to investigate the abuse of its tools.