WhatsApp has addressed a security vulnerability in its iOS and macOS messaging apps that was actively exploited in targeted zero-day attacks.
The flaw, identified as CVE-2025-55177, is a zero-click vulnerability affecting WhatsApp for iOS versions earlier than 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78.
According to a security advisory released on Friday, WhatsApp explained that "incomplete authorization of linked device synchronization messages" could have allowed an unrelated user to trigger content processing from any URL on a victim's device. The company believes this flaw may have been used in combination with an Apple operating system vulnerability (CVE-2025-43300) in a highly sophisticated attack targeting specific individuals.
Apple issued emergency updates earlier this month to fix CVE-2025-43300 and confirmed that the vulnerability had been exploited in an advanced attack. Although further details have not yet been released by either company, Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, revealed that WhatsApp recently notified certain users about being targeted in a spyware campaign over the past three months.
The alerts from WhatsApp stated that while the company has taken steps to block this particular attack, the device's operating system may still be compromised or vulnerable to other threats. Affected users were advised to perform a factory reset and ensure their operating systems and apps are fully updated.
In a separate incident earlier this year, WhatsApp resolved another zero-day vulnerability that was used to deploy Graphite spyware developed by Paragon. That attack, reported by researchers at the University of Toronto’s Citizen Lab, targeted journalists and members of civil society.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
