Meta-owned WhatsApp has patched a high-severity security vulnerability (CVE-2025-55177) in its iOS and macOS apps that was actively exploited in targeted spyware attacks.
The flaw, discovered by WhatsApp’s internal security team, involved insufficient authorization of linked device synchronization messages. Attackers could have triggered the processing of content from arbitrary URLs on a victim’s device without any user interaction, a so-called “zero-click” exploit.
The vulnerability affected:
· WhatsApp for iOS before version 2.25.21.73 (patched July 28, 2025)
· WhatsApp Business for iOS before version 2.25.21.78 (patched August 4, 2025)
· WhatsApp for Mac before version 2.25.21.78 (patched August 4, 2025)
Security researchers believe the exploit was chained with a recently disclosed Apple zero-day (CVE-2025-43300), an ImageIO out-of-bounds write bug that has been weaponized in advanced spyware campaigns. Amnesty International’s Security Lab reported that journalists, human rights defenders, and other civil society individuals were among the targeted victims.
WhatsApp has directly notified impacted users and recommended immediate device updates, as well as factory resets in some cases. Amnesty’s Donncha Ó Cearbhaill warned: “Government spyware continues to pose a threat to journalists and human rights defenders.”
Advice to Users:
· WhatsApp users on iOS and Mac should update immediately to the latest versions.
· iPhone and Mac users should also install Apple’s latest security patches.