Newsletters
WhatsApp said Friday that it has fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into Apple devices of “specific targeted users.”
The Meta-owned messaging app confirmed that a sophisticated attack campaign leveraged a previously unknown zero-day vulnerability in WhatsApp on Apple devices to target specific individuals.
The vulnerability, now identified as CVE-2025-55177, was combined with a separate flaw in Apple’s operating systems to compromise devices and access user data.
In its security advisory, WhatsApp said it fixed the vulnerability, which was used alongside a separate flaw found in iOS and Macs. Apple patched that flaw last week, tracking it as CVE-2025-43300.
WhatsApp has patched the vulnerability and has been sending threat notifications to individuals it believes were targeted by the advanced spyware campaign within the last 90 days. The company is urging affected users to take immediate action to secure their devices.
The attack exploited a chain of vulnerabilities to gain access to target devices, with the initial entry point through WhatsApp on iOS and macOS.
The WhatsApp vulnerability, CVE-2025-55177, existed in the way WhatsApp handled linked device synchronization messages. According to WhatsApp’s advisory, the flaw could allow an attacker to trigger the processing of content from an arbitrary URL on a target device.
The flaw affected WhatsApp for iOS versions before 2.25.21.73, WhatsApp Business for iOS before 2.25.21.78, and WhatsApp for Mac before 2.25.21.78.
Apple said the flaw was used in an “extremely sophisticated attack against specific targeted individuals.” Reports indicate that dozens of WhatsApp users were targeted with this pair of vulnerabilities.
It is not immediately clear who is behind the attacks or which spyware vendor was involved.
This is not the first time WhatsApp users have been targeted by government-grade spyware, malware capable of breaking into fully patched devices through zero-day flaws, which are vulnerabilities unknown to the vendor.
In May, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that infiltrated devices of more than 1,400 WhatsApp users with an exploit capable of installing NSO’s Pegasus spyware. WhatsApp filed the lawsuit, citing violations of federal and state hacking laws and breaches of its terms of service.
Earlier this year, WhatsApp disrupted a spyware campaign that targeted around 90 users, including journalists and civil society members in Italy. The Italian government denied involvement. Paragon, the spyware company behind the campaign, later cut off Italy from its hacking tools for failing to investigate the abuse.
2 min read
5 min read
