WhatsApp on Friday confirmed it has fixed a critical security flaw that left some iPhone and Mac users vulnerable to advanced spyware attacks. The Meta-owned messaging service said the vulnerability, tracked as CVE-2025-55177, was patched in recent app updates.
The flaw was linked to another bug in Apple devices, CVE-2025-43300, which the company fixed last week. Together, the two weaknesses formed a zero-click exploit, capable of compromising a device without requiring the victim to click a link or interact with the app.
Amnesty International’s Security Lab, which investigated the campaign, said the spyware attacks had been ongoing since late May and described them as highly sophisticated. Once exploited, the chain allowed attackers to access sensitive data, including private WhatsApp messages.
Meta said it detected the activity weeks ago and notified fewer than 200 affected users. The company did not identify the perpetrators but confirmed that the incident bore similarities to previous government-linked spyware campaigns.
WhatsApp has a history of being targeted by surveillance vendors. In 2019, spyware maker NSO Group exploited a similar zero-day to install Pegasus spyware, leading to a U.S. court ordering NSO to pay WhatsApp $167 million in damages. Earlier this year, WhatsApp also disrupted a campaign using Paragon spyware that targeted journalists in Italy.
The latest discovery underscores the ongoing threat of zero-day vulnerabilities being exploited against high-risk individuals, even on fully patched Apple devices.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
