WhatsApp has released critical security fixes for its iOS and Mac applications following the discovery and exploitation of a high-severity vulnerability that allowed attackers to install spyware through zero-click attacks. The flaw, tracked as CVE-2025-55177, pertained to incomplete authorization during linked device synchronization. This weakness enabled attackers to trigger the processing of malicious content from arbitrary
This vulnerability was part of a sophisticated attack campaign and was leveraged in conjunction with another flaw, CVE-2025-43300, which was addressed earlier in August 2025. These vulnerabilities were used to compromise specific, high-profile individuals through attacks that required no action from the recipient—a hallmark of zero-click exploits.
The nature of these attacks suggests they were highly targeted. Meta, WhatsApp’s parent company, confirmed that fewer than 200 notifications were sent to users whose accounts or devices were potentially compromised. Security researchers, including those at Amnesty International’s Security Lab, have described this as an advanced spyware campaign active since May 2025.
At this time, no group has publicly claimed responsibility for the attacks, nor has thre been any concrete attribution. Meta and other security experts have emphasized the seriousness of such vulnerabilities, which are often exploited for espionage against diplomats, journalists, activists, and government officials.
Users of WhatsApp on iOS and Mac are strongly encouraged to update their applications to the latest versions immediately to ensure protection against these vulnerabilities. Zero-click attacks remain rare but highly effective, underscoring the importance of keeping all devices and applications fully up to date with security patches.