Thought Leadership
The messenger service WhatsApp has fixed a critical security vulnerability in its Apple clients that allowed attackers to install spyware without user intervention. According to Meta, the vulnerability with the identifier CVE-2025-55177 was already fixed a few weeks ago.
The WhatsApp vulnerability only worked in conjunction with the Apple vulnerability CVE-2025-43300, which the iPhone manufacturer fixed last week with a security update. At the time, Apple spoke of sophisticated attacks on selected individuals without providing details.
Amnesty International has now confirmed that the attack campaign was active for around 90 days. Donncha Ó Cearbhaill from the human rights organization’s Security Lab describes the attack as a zero-click exploit in which victims do not have to click on any suspicious links or open any files.
Data extraction via messenger channel
The exploit chain made it possible to smuggle malicious code onto iOS and macOS systems via WhatsApp. Once successfully compromised, attackers were able to access all device data, as can be seen from the warning messages sent to affected users.
Meta spokeswoman Margarita Franklin confirmed that under 200 notifications were sent out. The company did not provide any information on the origin of the attacks or the spyware product used.
Updates are available
Users should install both the latest WhatsApp version and the latest operating system updates from Apple to close both vulnerabilities. The patches are available via the respective update mechanisms.
