WhatsApp has recently taken action to patch a high-severity security flaw that posed a potential threat to its users on Apple iOS and macOS platforms. The vulnerability, tracked as CVE-2025-55177 with a CVSS score of 8.0, was discovered by the WhatsApp Security Team, who have also been credited with reassessing and rerating its impact. The flaw stemmed from insufficient authorization in linked device synchronization messages, which could have been exploited in real-world attacks. According to the Meta-owned company, the bug created a scenario in which an attacker could potentially trigger the processing of malicious content from an arbitrary URL on a target’s device.

The issue specifically impacted WhatsApp for iOS versions prior to 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78. What makes this flaw particularly concerning is the likelihood that it was combined with another Apple vulnerability, CVE-2025-43300, as part of a chain in sophisticated zero-day attacks. Apple had only recently disclosed CVE-2025-43300, describing it as an out-of-bounds write vulnerability in the ImageIO framework. This flaw could cause memory corruption when processing a maliciously crafted image and had already been reported as weaponized in highly targeted campaigns against specific individuals.

Experts believe that these vulnerabilities together may have enabled an advanced form of cyber-espionage. Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, confirmed that WhatsApp has already begun notifying a number of individuals it believes were targeted within the past 90 days. These attacks appear to be linked to advanced spyware campaigns. In its warnings, WhatsApp urged affected users to take drastic measures, including performing a complete factory reset of their devices and ensuring both their operating system and WhatsApp app remain fully updated. At this stage, it remains unclear which spyware vendor or threat actor was behind these attacks.

Security researchers have emphasized that these vulnerabilities represent a “zero-click” attack vector, meaning no user interaction—such as clicking a link or downloading a file—was required for compromise. Such attacks are particularly dangerous, as they give individuals no visible indication that their devices have been infiltrated. Ó Cearbhaill also highlighted that the impact is not limited to iPhone users alone; Android devices are believed to have been targeted as well. Alarmingly, the victims appear to include members of civil society, including journalists and human rights defenders, underscoring the persistent threat of government-backed spyware operations against vulnerable communities worldwide.

Through this disclosure, WhatsApp and Apple’s recent findings highlight the growing sophistication of spyware campaigns and the critical importance of timely patching and security updates. The incident serves as another stark reminder that even well-defended platforms can become avenues for targeted surveillance when attackers leverage multiple vulnerabilities in unison.