WhatsApp just fixed a serious security issue in its iOS and Mac applications, which was used to target a handful of high-profile iPhone, iPad, and Mac owners with a zero-click attack. In a security advisory, the most popular messaging service on the platform said it fixed the flaw — codenamed CVE-2025-55177 — as it could "have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device."
This high-severity vulnerability was allegedly chained with a separate flaw, fixed earlier in August, tracked as CVE-2025-43300. These two were used "in a sophisticated attack against specific targeted users.”
Android users were not impacted in this latest security flaw.
For those who don't know, a "zero-click" attack means, as the name suggests, you don't need to click or download any suspicious links in emails or documents to infect your device. Instead, the spyware could infect your device simply by receiving a malicious message. Once installed, this spyware could access everything on your device, including your messages, photos, camera and microphone.
Mark Zuckerberg is the Chief Executive of Meta, which owns some of the most popular social platforms on the planet, including Instagram, Facebook, and WhatsApp | REUTERS So, are you at risk?
The good news is that this was a highly targeted campaign affecting fewer than 200 people worldwide. Meta spokesperson Margarita Franklin confirmed the company sent breach notifications to this small group of victims.
It's crucial to point that — these attacks were not random. Instead, they were specifically targeting high-profile individuals, including journalists and members of civil society organisations.
Senior Security Strategy Manager at software firm Jamf, Adam Boynton told GB News: "WhatsApp and Apple devices are some of the most widely used technologies on the planet, especially among senior executives.
"That popularity makes them prime targets. Attackers know that if they can find a way in, the payoff is huge. This is why we see significant investment from adversaries in uncovering zero-click vulnerabilities like this one.
"The objective is rarely just the initial compromise. Exploits of this kind are often a launchpad for extracting sensitive data, harvesting credentials, eavesdropping on conversations, or even staging a ransomware attack further down the line.
"This is why patching apps and keeping operating systems up to date is so critical. Apple does an excellent job of making security updates widely available and easy to apply, but organisations must ensure those updates are adopted quickly and consistently."
Mr Boynton added: "The lesson here is clear: do not underestimate the risk because a platform is popular and trusted. For attackers, that popularity is exactly what makes it worth targeting."
LATEST DEVELOPMENTS
According to Donncha Ó Cearbhaill, who leads Amnesty International's Security Lab, the spyware campaign was active for approximately 90 days, starting around late May 2025.
These sophisticated attacks typically focus on politicians, diplomats, activists, government officials and defence personnel, people whose communications might be of particular interest to nation-state actors or advanced hacking groups. How did the hackers combine two security threats?
The WhatsApp vulnerability allowed attackers to trigger your device to process content from malicious URLs without your knowledge. Apple also had a confirmed security weakness, where devices were able to process malicious image files.
When combined with Apple's image processing bug, hackers could send corrupted image files that would compromise your device's memory. Here's what makes zero-click attacks particularly dangerous: you don't need to do anything for them to work.
Traditional malware requires you to click a link or download a file, but these exploits activate automatically when your device receives the malicious content. The spyware could then access your camera, microphone, messages and personal files without any visible signs of infection.
WhatsApp fixed the vulnerability in its latest software updates for iOS, WhatsApp Business, and Mac.
If you'd like to manually update the app, follow these steps on your Apple devices:
- Open the App Store.
- Tap your profile icon in the top-right corner.
- Scroll down to see pending updates.
- If WhatsApp appears in the list, tap "Update" next to it.
- If it’s not listed, it’s likely already up to date.
- Wait for the update to complete.
To keep WhatsApp automatically updated:
Go to Settings > App Store > Toggle on App Updates.
Our team at Amnesty International's Security Lab is actively investigating cases with a number of individuals targeted in this campaign.
— Donncha Ó Cearbhaill (@DonnchaC) August 29, 2025
We are available to support members of civil society who have received the WhatsApp notifications. Contact us at share@amnesty.tech
WhatsApp has been sending breach notifications to affected users, warning them that their devices and data, including messages, were likely compromised. The company detected and patched the vulnerability "a few weeks ago," according to Meta's statement.
Amnesty International's Security Lab is actively investigating cases involving targeted individuals from this campaign. "Our team at Amnesty International's Security Lab is actively investigating cases with a number of individuals targeted in this campaign," Ó Cearbhaill stated on X. "We are available to support members of civil society who have received the WhatsApp notifications."
If you've received a WhatsApp threat notification, security experts recommend seeking immediate professional help. The investigation remains ongoing, with no threat actors yet claiming responsibility for these attacks.
More From GB News