WhatsApp has released fixes for a critical vulnerability in its iOS and macOS apps that may have been exploited in targeted attacks. The flaw, tracked as CVE-2025-55177, stemmed from insufficient authorization in linked device synchronization and was discovered by WhatsApp’s internal security team. Meta said the bug could have allowed attackers to process malicious content from arbitrary URLs on a victim’s device.
The issue affected WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS 2.25.21.78, and WhatsApp for Mac 2.25.21.78, all patched in late July and early August. Researchers believe the weakness may have been chained with CVE-2025-43300, a zero-day in Apple’s ImageIO framework that was recently exploited to target individuals.

Amnesty International reported that WhatsApp has alerted certain users who may have been targeted in spyware campaigns over the past three months. The company advised affected individuals to perform a full device reset and ensure their operating system and apps remain updated. “This is a classic example of a zero-click attack, where no user interaction is needed to compromise a device,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab. He warned that this spyware continues to pose serious risks to journalists, activists, and human rights defenders.