Top News

WhatsApp fixes 'zero-click' flaw that targeted Apple users
30 Aug 2025

WhatsApp has fixed a critical security flaw in its iOS and Mac apps, which was being exploited in a spyware campaign.

The vulnerability, tracked as CVE-2025-55177, was linked to another bug in Apple devices (CVE-2025-43300), both of which formed a "zero-click" exploit.

This type of attack doesn't require any interaction from the victim to compromise their device.

Attackers accessed sensitive data, including private messages
Targeted attack

The spyware campaign had been active since late May and was described as highly sophisticated by Amnesty International's Security Lab.

The combination of the two bugs allowed attackers to access sensitive data, including private WhatsApp messages.

Meta, WhatsApp's parent company, detected the activity weeks ago and notified fewer than 200 affected users. However, they have not disclosed who was behind these attacks.

WhatsApp previously targeted by NSO Group
Previous incidents

This isn't the first time that WhatsApp has been targeted by surveillance vendors.

In 2019, spyware maker NSO Group exploited a similar zero-day vulnerability to install Pegasus spyware. A US court later ordered NSO to pay WhatsApp $167 million in damages.

Earlier this year, the messaging service also thwarted a campaign using Paragon spyware that targeted journalists in Italy.

Zero-day vulnerabilities pose significant risks
Persistent risk

The latest discovery highlights the persistent threat of zero-day vulnerabilities being exploited against high-risk individuals, even on fully patched Apple devices.

Donncha O Cearbhaill, head of Amnesty International's Security Lab, described the attack as an "advanced spyware campaign" targeting users over the past 90 days.

He confirmed that dozens of WhatsApp users were targeted with this pair of flaws.