WhatsApp 0-Day Exploited in Targeted Attacks on Mac and iOS Platforms

 

Providing a fresh reminder of the constant threat to widespread communication platforms, WhatsApp has disclosed and patched a vulnerability affecting its iOS and macOS applications. The vulnerability has already been exploited in real-world attacks, according to WhatsApp, which warns it may already have been exploited in the past. 

It has a CVSS score of 5.4 and is tracked as CVE-2025-55177. The vulnerability is caused by an insufficient level of authorisation when handling linked device synchronization messages. As a result of the vulnerability, WhatsApp has warned that a malicious actor could potentially compromise the security of users by manipulating content processing using arbitrary URLs on the target device. 

In a statement, the Meta-owned company credited its in-house security team with discovering and analyzing this bug, which is thought to have been exploited in combination with a recently revealed Apple zero-day vulnerability as part of targeted attacks on the company. The incident was deemed to be the result of an "advanced spyware campaign" by Donncha Cearbhaill of Amnesty International's Security Lab, which notes it had been active for approximately 90 days and used zero-click delivery techniques. 

Through this technique, attackers were able to spread malicious exploits through WhatsApp without requiring any interaction from the victim, allowing them to steal data from Apple devices silently and raising serious concerns about the resilience of even highly secure platforms. By way of spokesperson Margarita Franklin, Meta, the parent company of WhatsApp, confirmed that the flaw had been identified and patched several weeks ago, with notification sent to less than 200 users who had been affected. 

Even though the company has not attributed the operation to any specific threat actor or spyware vendor, the lack of attribution highlights how difficult it may be to trace such sophisticated campaigns when it comes to tracking them down. Technology providers are facing increasingly complex and stealthy attacks on popular communication tools, which is why the episode emphasizes the mounting challenges they face in defending them against such attacks. 

Recently, a critical flaw has been discovered in WhatsApp which has been catalogued as CVE-2025-55177, which has once again brought to the fore the security landscape around widely used communication platforms. Based on initial CVSS scores of 5.4 and 8.0, the vulnerability highlights how zero-day exploits continue to pose a challenge to users and device integrity, as well as undermine privacy and device integrity. 

It is believed that the root of the flaw is due to incomplete authorization in the handling of synchronization messages between linked devices. This weakness was the basis of the attack, which could be exploited as a tool to override the expected security features. Using this vulnerability, a malicious actor who has no legitimate association with the target could force a victim's device to process content from an arbitrary URL on its own behalf if exploited. 

The manipulation of trusted communication channels could serve as an entry point for remote code execution, or unauthorized delivery of malicious content, directly from the attacker's infrastructure, which can then be used to deliver malicious content. In such a scenario, users' trust is not only compromised, but it also highlights how vulnerable application-level security measures can be if authorization mechanisms are not properly enforced. 

There is an added level of seriousness to this discovery, since the exploit appears to have been a zero-click attack. In contrast to conventional attacks that require the user to open a file or click on a link, zero-click exploits do not require the user to interact with them whatsoever, which significantly reduces the chances of detection. 

As a result of silent compromises, attackers are able to install spyware or malicious code swiftly, discreetly, and with little or no trace until the damage has been done. WhatsApp's internal security team believes that the CVE-2025-55177 vulnerability was not an isolated occurrence. Rather than being isolated from the other vulnerability within Apple's ecosystem, it is thought to have been chained together with a separate vulnerability within the Apple ecosystem – CVE-2025-43300 – to allow sophisticated, targeted attacks.

In the Apple case, a CVSS score of 8.8 was assigned to the ImageIO framework that was characterized by an out-of-bounds write condition. When these vulnerabilities occur during the processing of images, they can corrupt memory, giving way to deeper system-level vulnerabilities. An exploit chaining strategy, whereby an application-level bug is paired up with an operating system vulnerability in order to maximize the scope and stealth of a campaign, is an increasingly popular strategy among advanced adversaries as a means of maximizing the scope and stealth of their operations. 

On August 20, Apple updated its entire product line in order to address CVE-2025-43300, issuing patches for iOS 18.6.2, iPadOS 18.6.2, and 17.7.10, Mac OS Sequoia 15.6.1, Mac OS Sonoma 14.7.2, and Mac OS Ventura 13.7.1. It was noted in the advisory that while the company had refrained from providing detailed technical details, they had been aware of reports that the flaw had already been exploited against specific individuals by users in the wild.

In line with the tactics used by state-sponsored groups and well-funded spyware vendors, these attacks were highly targeted and not indiscriminate, as they suggest that these attacks were highly targeted and not indiscriminate. In addition to mitigating the threat quickly, WhatsApp has also quickly rolled out patches that fix CVE-2025-55177 on all its platforms, rolling it out in late July and early August 2025. As with Apple, WhatsApp's version of iOS 2.2.21.73, WhatsApp Business, and WhatsApp for Mac all came with the patches. 

However, as Apple did, WhatsApp did not provide details of the observed attacks, and provided limited commentary on the nature or scale of the exploitation. The reticence that occurs when a zero-day exploitation is being actively exploited is not unusual, as revealing too much could help threat actors improve their techniques inadvertently. 

While the extent of the campaign is still unknown, the operational sophistication implied by these exploits suggests that an adversary with adequate resources has been engaged in this operation. This is because of the fact that zero-click vectors are being used as well as the seamless chaining of vulnerabilities across both application and operating system layers, which illustrates how complex cyber threats are becoming. 

In the broader context of these incidents, it is important to recognize that attackers are increasingly using multi-layered exploit chains to get around user defenses, get past traditional detection methods, and implant spyware in a highly precise manner. Taking a broader perspective of the WhatsApp and Apple vulnerabilities, it is important to note that today's interconnected digital environment creates a precarious balance between convenience and security. 

With the rapid expansion of messaging platforms, the attack surface is inevitably bound to increase, allowing adversaries to find weaknesses more easily. According to recent disclosures, it is imperative that timely patches, rigorous vulnerability management, and ongoing collaboration between vendors be implemented so that coordinated, high-level exploitation campaigns are limited in impact. 

In order to defend against zero-click exploit campaigns that leverage zero-click exploits, security specialists advise that a routine patch application does not suffice. There is a growing need for organizations to adopt a layered defense strategy that integrates technical safeguards with operational discipline in order to reduce exposure. 

Among the steps to take is updating WhatsApp and other messaging platforms to the most recent patched versions, enforcing mobile device management (MDM) baselines, and implementing solutions for detection and response of mobile endpoints (EDR) that can be used to detect as well as analyse the data. To further enhance resilience, system logs can be monitored for unusual activity, command-and-control traffic can be blocked at the network level, and threat intelligence data can be utilized. 

To eliminate possible persistence mechanisms, factory resets should be recommended when a compromise is suspected. Likewise, it is crucial to build user awareness by providing training on spyware risks and incident reporting, in addition to reviewing incident response playbooks to ensure they address zero-day and zero-click exploitation scenarios. In addition to these practices, organizations should adopt strict communication security policies, and conduct regular third-party risk assessments in order to strengthen their defense against stealthy spyware operations and reduce the impact of sophisticated intrusion attempts on their systems. 

There has been a sharp reminder resulting from the revelations surrounding WhatsApp and Apple vulnerabilities that no platform, no matter how popular or secure it appears to be, is immune to exploitation. In this day and age, zero-click spyware is becoming increasingly sophisticated, which underscores the necessity to treat mobile device security as a strategic priority rather than something people take for granted. 

The best way to do this for individuals would be to develop the habit of downloading and installing software updates as soon as they become available, to exercise caution when unusual behavior occurs on their mobile devices, and to consider the use of trusted mobile security tools. 

Organizations need to shift from compliance checklists and develop a culture of proactive resilience rather than relying on compliance checklists. This means investing in multiple defenses, continuous monitoring, and cross-team collaboration between the IT, security, and legal departments in order to better detect and contain incidents.

It is imperative that technology vendors, independent researchers, and civil society organisations collaboratively work together in order to hold spyware operators accountable for their actions and ensure that users retain trust in their digital communications in the future. 

In spite of vulnerabilities continuing to be found in the digital ecosystem, a combination of rapid response, transparency, and a security-first mindset can turn such incidents into opportunities for stronger defenses and more resilient digital ecosystems by eliminating vulnerabilities as quickly as possible.