“`html
WhatsApp Patches Zero-Click Exploit Used in Spyware Attacks
By Alice Davidson | WASHINGTON – 2025/09/01 10:48:53
WhatsApp has addressed a security vulnerability in its iOS and macOS applications that was exploited by hackers in spyware campaigns using a zero-click exploit. The company has released updates to patch the flaw.
The vulnerability was exploited in conjunction with an OS-level flaw that Apple recently patched with the release of iOS 16.8.2, iPadOS 16.8.2, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8 updates. Apple identified the zero-day threat as CVE-2025-43300, acknowledging it may have been used in targeted attacks.
While Apple did not release specific details regarding the attacks, WhatsApp stated that the attackers leveraged the OS-level flaw alongside a vulnerability in its own request, now identified as CVE-2025-55177, to target a limited number of users. The vulnerability stemmed from an incomplete authorization of linked device synchronization messages, possibly enabling attackers to trigger the processing of content from an arbitrary URL on a targetS device. Because it was a zero-click exploit, user interaction, such as clicking a link, was not required.
The affected versions of WhatsApp include WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. WhatsApp has credited its security experts for identifying and resolving the exploit.
According to a report by TechCrunch, Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, characterized the attack as “an advanced spyware campaign” that had been active for over 90 days, starting in late May. The identity of the attackers remains unknown.
Margarita Franklin, a Meta spokesperson, confirmed that the vulnerability was identified and patched several weeks ago. Meta has stated that it notified affected users, with the total number of impacted accounts being less then 200.
This is not the first time WhatsApp users have been targeted by spyware. Earlier this year, WhatsApp disrupted a Paragon spyware campaign that targeted journalists and civil society members in Italy. In 2019, WhatsApp sued the NSO Group, the creators of the Pegasus spyware, for compromising the security of over 1400 users.In may 2024, a U.S.court ordered the NSO Group to pay WhatsApp $167 million in damages.
