WhatsApp patched a critical security bug in its iOS and macOS apps after discovering it had been used to compromise Apple devices. The flaw, tracked as CVE-2025-55177, was chained with a separate Apple vulnerability, CVE-2025-43300, to execute a stealthy, no-interaction exploit. Consequently, dozens of specific users were targeted over roughly a 90-day window. WhatsApp notified fewer than 200 affected accounts and deployed a fix weeks after detection.
How the attack worked
First, the two vulnerabilities were combined so that a malicious payload could be delivered through a WhatsApp message without any user action. Then, the chained exploit escalated privileges and accessed data on the compromised device, including messages. Security analysis characterizes the campaign as an advanced spyware operation that used zero-click techniques to bypass normal protections. At present, attribution remains unclear, and no definitive vendor or actor has been publicly confirmed.
Context and response
This incident follows earlier high-profile spyware cases that exploited zero-day flaws to breach fully patched devices. As a result, messaging platforms and OS vendors continue to prioritize rapid patching and coordinated disclosure. Moving forward, users should keep apps and system software updated, enable platform security features, and review any vendor notifications about potential compromises. Finally, organizations that protect sensitive accounts are advised to monitor alerts and apply multi-factor protections where possible.
