WhatsApp has patched a serious security flaw that hackers used to secretly break into iPhones and Macs without any user interaction. The messaging giant confirmed that fewer than 200 users worldwide were targeted in this sophisticated attack that began in late May and continued for about 90 days.
The vulnerability, officially known as CVE-2025-55177, allowed attackers to exploit a weakness in WhatsApp’s linked device synchronization system. This flaw was then combined with a separate Apple vulnerability (CVE-2025-43300) in the ImageIO framework to create a powerful “zero-click” attack chain that could compromise devices without victims having to tap anything or click any links.
“The attack was able to compromise your device and the data it contains, including messages,” explained Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, in a post that included a screenshot of the threat notification WhatsApp sent to affected users.
What makes this attack particularly dangerous is its silent nature. Unlike many hacking attempts that require victims to click on malicious links or download suspicious files, this exploit worked invisibly in the background when the target received a specially crafted message.
Similar posts
The technical details reveal how the attackers chained these vulnerabilities together. First, they exploited WhatsApp’s authorization flaw to trigger the processing of content from an arbitrary URL on a victim’s device. Then, they leveraged Apple’s ImageIO vulnerability—an “out-of-bounds write” bug that could corrupt memory when processing a malicious image—to gain deeper access to the device.
Apple described its bug as being used in an “extremely sophisticated attack against specific targeted individuals” when it released a fix last week. The affected WhatsApp versions include WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS prior to v2.25.21.78, and WhatsApp for Mac prior to v2.25.21.78.
Security experts recommend that users take immediate action by updating both WhatsApp and their operating systems. For complete protection, iPhone and Mac users need to install WhatsApp’s latest version and Apple’s recent security updates: iOS/iPadOS 18.6.2 or macOS Sequoia 15.6.1.
For those who received a threat notification from WhatsApp, the company recommends a complete factory reset of the device in addition to installing all updates.
While Meta (WhatsApp’s parent company) has not publicly attributed these attacks to any specific group, the targeting pattern follows similar commercial spyware campaigns. The victims primarily included members of civil society, such as journalists and human rights defenders.
This isn’t WhatsApp’s first battle with spyware. Earlier this year, the company disrupted a campaign targeting around 90 users in Italy, linked to a spyware operation by a company called Paragon. In a more significant case from 2019, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a hacking campaign that affected more than 1,400 WhatsApp users.
As commercial spyware continues to evolve, security experts emphasize that ordinary users face minimal risk from these highly targeted attacks. However, all users should keep their apps and operating systems updated to protect against similar vulnerabilities that might emerge in the future.
