 exploited in a zero-click spyware attack. The 90-day operation targeted fewer than 200 users with sensitive iPhone data.){kind=link}
Highlights
- WhatsApp fixed a major iOS and Mac vulnerability exploited in a zero-click spyware attack targeting specific users.
- Amnesty International revealed a 90-day operation starting in late May, where attackers used WhatsApp to steal sensitive iPhone data without user interaction.
- This follows past incidents including the Pegasus case and a 2024 campaign targeting journalists in Italy.
WhatsApp has rolled out a crucial security fix for a vulnerability in its iOS and Mac apps that was actively exploited to compromise the devices of “specific targeted users.”
The flaw tracked as CVE-2025-55177 has now been patched, according to a security advisory from the Meta-owned platform. Apple had already addressed a related bug, identified as CVE-2025-43300, which was used in combination with the WhatsApp exploit as part of what the company described as a “very sophisticated attack against specific targeted individuals.”
In a post on X (formerly Twitter), Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, revealed that the campaign lasted for nearly 90 days starting late May and involved an “advanced spyware operation.” One of the exploited flaws enabled a zero-click attack allowing hackers to compromise devices without any interaction from the victim.
Ó Cearbhaill further explained that the attack chain leveraged WhatsApp as a delivery method to steal sensitive data from iPhones including personal messages. WhatsApp has since issued warning notifications to affected users, though the identities of the attackers or spyware vendors behind the campaign remain unknown
Meanwhile, Meta spokesperson Margarita Franklin confirmed to TechCrunch that the vulnerability had been patched “a few weeks ago” and fewer than 200 WhatsApp users were notified. However, she declined to provide details on who was behind the operation.
This is not the first time WhatsApp has been targeted in government-linked spyware operations. In May, a U.S. court ordered Israeli spyware company NSO Group to pay WhatsApp $167 million in damages over its 2019 Pegasus spyware campaign, which infected more than 1,400 devices.
Earlier in 2024, WhatsApp also blocked a spyware campaign that targeted about 90 individuals, including journalists and civil society members in Italy. While the Italian government denied involvement, spyware maker Paragon later suspended Italy’s access to its surveillance tools.
FAQs
Q1. What vulnerability did WhatsApp patch in its iOS and Mac apps?
Answer. WhatsApp patched a critical flaw tracked as CVE-2025-55177, which was exploited in a zero-click spyware attack targeting specific users. Apple had also addressed a related bug (CVE-2025-43300) used in the same attack chain.
Q2. How did the spyware attack work and who was affected?
Answer. The attack used zero-click techniques, meaning devices were compromised without any user interaction. It targeted fewer than 200 individuals, including those with sensitive data on iPhones, and lasted nearly 90 days starting in late May.
Q3. Has WhatsApp faced similar spyware threats before?
Answer. Yes. In 2019, WhatsApp won a $167 million judgment against NSO Group over the Pegasus spyware. Earlier in 2024, it blocked another campaign targeting journalists and civil society members in Italy.