WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices - The Hacker News

WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices Ravie LakshmananAug 30, 2025Zero-Day / Vulnerability WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 (CVSS score: 5.4), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug. The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device." The flaw affects the following versions - WhatsApp for iOS prior to version 2.25.21.73 (Patched on July 28, 2025) WhatsApp Business for iOS version 2.25.21.78 (Patched on August 4, 2025), and WhatsApp for Mac version 2.25.21.78  (Patched on August 4, 2025) It also assessed that the shortcoming may have been chained with CVE-2025-43300, a vulnerability affecting iOS, iPadOS, and macOS, as part of a sophisticated attack against specific targeted users. CVE-2025-43300 was disclosed by Apple last week as having been weaponized in an "extremely sophisticated attack against specific targeted individuals." The vulnerability in question is an out-of-bounds write vulnerability in the ImageIO framework that could result in memory corruption when processing a malicious image. Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, said WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177. In the alert sent to the targeted individuals, WhatsApp has also recommended performing a full device factory reset and keeping their operating system and the WhatsApp app up-to-date for optimal protection. It's currently not known who, or which spyware vendor, is behind the attacks. Ó Cearbhaill described the pair of vulnerabilities as a "zero-click" attack, meaning it does not require any user interaction, such as clicking a link, to compromise their device. "Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them," Ó Cearbhaill said. "Government spyware continues to pose a threat to journalists and human rights defenders." Update In a statement shared with The Hacker News, WhatsApp said it sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign. (The story was updated after publication to clarify that patches were released for the flaw in late July/August 2025. It was updated again on September 2, 2025, to reflect the latest CVSS score published in the NIST NVD database.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Apple, CVE, cybersecurity, device security, iOS, MacOS, spyware, Vulnerability, Whatsapp, zero-day Trending News Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026