WhatsApp fixes major security bug exploited in spyware attacks on Apple devices

WhatsApp confirmed last week that it has fixed a severe security flaw in its iOS and Mac apps that was being used to hack into Apple devices belonging to “specific targeted users.”

In a security advisory, the Meta-owned messaging platform said it addressed the vulnerability, officially tracked as CVE-2025-55177. The flaw was exploited in combination with another Apple vulnerability, CVE-2025-43300, which the iPhone maker patched last week. Apple described the exploit as part of an “extremely sophisticated attack against specific targeted individuals.”

According to WhatsApp, dozens of users were targeted through the linked vulnerabilities. Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, described the incident on X as an “advanced spyware campaign” that had been ongoing for the past 90 days. He explained that the attack relied on a “zero-click” method, meaning victims did not need to click a link or take any action for their devices to be compromised.

The chained vulnerabilities allowed attackers to send a malicious exploit through WhatsApp capable of stealing sensitive data. A threat notification shared by Ó Cearbhaill revealed that the exploit could “compromise your device and the data it contains, including messages.”

This is not the first time the messaging service has been targeted with government-grade spyware. In May, a U.S. court ordered Israeli firm NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that infected more than 1,400 users’ devices with the company’s Pegasus spyware.

Earlier this year, WhatsApp also disrupted another spyware campaign that targeted around 90 people, including journalists and civil society members in Italy. The Italian government denied involvement, and spyware vendor Paragon later cut off Italy’s access to its tools after the abuse came to light.