Meta warns that a WhatsApp vulnerability on Apple devices allowed hackers to target some users with zero-click spyware. WhatsApp describes the medium severity vulnerability CVE-2025-55177 (CVSS V3 score of 5.4) as “incomplete authorization of linked device synchronization messages.”
It affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78.
When exploited, it could allow an unauthorized external entity to trigger the processing of content from a malicious URL on the victim’s device. WhatsApp believes that the security flaw was chained with an Apple OS-level vulnerability CVE-2025-43300, to target specific users.
“We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users,” it stated.
Apple platform vulnerability CVE-2025-43300 is an out-of-bounds write issue stemming from the company’s implementation of JPEG Lossless Decompression code. It could be triggered by processing a malicious image file, resulting in memory corruption.
The flaw affects specific versions of macOS, iOS, and iPadOS and was patched in August with improved bounds checking. Meanwhile, Apple has confirmed that the vulnerability was exploited to execute an “extremely sophisticated attack.”
“This form of exploit with no user interactions is particularly challenging to mitigate so it is vital that users update as soon as possible,” said James Maude, Field CTO at BeyondTrust.
Zero-click spyware used for cyberespionage
WhatsApp’s parent company, Meta, has confirmed that roughly 200 users were targeted with the zero-click spyware. However, it gave no specific details regarding the nature of the attacks.
WhatsApp also did not disclose the identity of the threat actor behind the zero-click spyware campaign or the profiles of the victims.
However, similar zero-click spyware attacks have typically targeted political dissidents, journalists, human rights activists, and opposition figures. Similarly, characteristic users of zero-click malware include foreign authoritarian governments and law enforcement agencies.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-55177 to the Known Exploited Vulnerabilities (KEV) catalog.
CISA also directed federal agencies and individual users to update their devices and WhatsApp chat clients by September 23, 2025, to avoid falling victim to the zero-click spyware campaign. Users who cannot update WhatsApp or their Apple devices can also suspend the application until security fixes are available.
“For many organizations WhatsApp serves as an unofficial communications tool for employees and may inadvertently hold confidential company information,” added Maude. “While it appears that in this case the exploitation in the wild was brief and identifiable it serves as a reminder to ensure that the lines between personal and professional communication tools remain clear.”
Additionally, WhatsApp also advised compromised users to perform a factory reset on their devices, since the zero-click spyware might already have been installed.
While the WhatsApp advisory specifically targeted Apple devices, Amnesty International suspects that the zero-click spyware campaign may also have targeted Android users, including members of civil society.
“Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them,” warned Donncha Ó Cearbhaill, head of Amnesty International-Tech.
Cearbhaill also warned that the vulnerability could be exploited through other apps besides WhatsApp, as it affects a core image library, used by various applications. The Amnesty tech lead also highlighted that journalists and human rights activists face a persistent and serious threat from government-sponsored spyware.
“Government spyware continues to pose a threat to journalists and human rights defenders,” he added.
WhatsApp targeted in the past
In 2019, WhatsApp sued Israel-based cyber intelligence firm NSO Group over the alleged targeting of more than 1,400 users with its zero-click spyware Pegasus. In 2021, the NSO Group’s database leaked, exposing its client list, which included governments and law enforcement agencies.
At the time, it also emerged that Pegasus had been used to target over 50,000 phones, highlighting the widespread use of zero-click spyware by foreign governments.
Unsurprisingly, Pegasus spyware was discovered on the phones of several close associates, including the son of Jamal Khashoggi, the assassinated Saudi journalist, author, and political dissident. The attempted or successful installation of the popular spyware occurred before and after the Saudi government critic was assassinated.
Nevertheless, the U.S. government blacklisted the NSO Group in 2021, prohibiting it from operating in the country. However, the FBI had already purchased the spyware in 2019 and tested it, but ultimately decided against deploying it.
Meanwhile, WhatsApp has previously been exploited to install spyware on both Android and iPhone devices. In March 2025, threat actors exploited the most popular messaging app to install Paragon Graphite spyware by leveraging an unassigned zero-day exploit.
Surprisingly, WhatsApp silently fixed the vulnerability, which was discovered by researchers at the University of Toronto’s Citizen Lab, without requiring user action.
